Last week, we covered a vulnerability in the File Manager plugin installed on over 700,000 WordPress sites. By Friday, September 4, 2020, we recorded attacks on over 1.7 million sites, and by today, September 10, 2020 the total number of sites attacked has increased to over 2.6 million. We’ve seen evidence of multiple threat actors taking part in these attacks, including minor efforts by the threat actor previously responsible for attacking millions of sites, but two attackers have been the most successful in exploiting vulnerable sites, and at this time, both attackers are password protecting vulnerable copies of the
An early bird stealing passwords
Our site cleaning team has found numerous indicators that the most active of these attacks are the work of a Moroccan threat actor known as “bajatax” which has historically stolen credentials from PrestaShop sites. These indicators include simple files containing only the string “bajatax” as well as modifications to the original vulnerable
connector.minimal.php file designed to lock out all other attackers, containing a
$content="by bajatax” line of code. Logs from infected sites indicate these files are being added by some of the most active attacking IPs, and we were able to verify that this threat actor is behind the
hardfile.php IOCs mentioned in our initial post. This attacker was the first to attack this vulnerability at scale.
Once a site is infected, the “bajatax” attacker adds malicious code that uses the Telegram messenger’s API to exfiltrate the credentials of any user logging into the site. This code is added to the WordPress core
user.php file. If WooCommerce is installed, the
class-wc-form-handler.php files will also be modified to exfiltrate user credentials. These credentials could then be resold or used to gain access to other accounts using the same credentials.
We’ve found IOCs from this threat actor on a substantial number of sites. Despite this attacker’s efforts to lock out other hackers, they haven’t always managed to get their foot in the door first, but we’ve seen them make regular attempts to update the passwords on both the vulnerable
connector.minimal.php file and on other files they’ve added to allow additional upload capability, while leaving the credential scraping functionality in place which consistently sends to the same Telegram chat ID of 1110165405.
Our Threat Intelligence team has been hard at work adding malware signatures to detect Indicators of Compromise by the bajatax threat actor, and these have been available to Wordfence Premium users starting September 8, 2020. These signatures will be released to sites still using the free version of Wordfence after 30 days, starting October 8, 2020.
A second attacker scattering backdoors
The most prevalent single indicators of compromise we found are an infector,
feoidasf4e0_index.php, with an MD5 hash of
6ea6623e8479a65e711124e77aa47e4c, and a backdoor inserted by this infector. In this case we are providing the MD5 hash since this file is extremely consistent, and as such the MD5 can be a useful indicator of compromise.
This attacker is using the
mkfile method outlined in our initial article rather than the
upload method favored by the “bajatax” threat actor. This attacker is also adding password protection to the vulnerable
connector.minimal.php file in an effort to lock out other attackers, though our attack data indicates this threat actor is using a consistent password.
feoidasf4e0_index.php file inserts two copies of the second backdoor with randomized filenames ending in
_index.php whenever it is accessed. One copy is placed in the webroot, and one in a randomized writable folder on the site. Both backdoors have the same MD5 of
3f60851c9f7e37c0d8817101d2212c68. While the backdoor in question has been in use for several years, the fact that multiple copies might be scattered across an infected site would help this attacker maintain persistence in the absence of a thorough scanning solution. We’ve also seen additional copies of this backdoor with different MD5 hashes added by this attacker; these are simply the most common variants.
Once these backdoors are in place, the attacker is using them to make additional modifications to core WordPress files, in some cases by using obfuscated code to include separate backdoors disguised as
.ico files. While the prevalence of the
feoidasf4e0_index.php file appears to be declining, the secondary backdoors added by this file are still extremely common, indicating that this attacker has managed to achieve some degree of persistence.
feoidasf4e0_index.php file itself appears to be a very slightly modified version of an infector used in previous campaigns that primarily added cryptominers and SEO spam to various sites, so these are viable monetization routes for this threat actor, though they could also simply lease access to a botnet of infected sites under their control.
Other actors abound
Our site cleaning team has cleaned a number of sites compromised by this vulnerability, and in many cases, malware from multiple threat actors is present. The aforementioned threat actors have been by far the most successful due to their efforts to lock out other attackers, and are collectively using several thousand IP addresses in their attacks. Nonetheless, we’ve seen attacks against this vulnerability from over 370,000 separate IP addresses.
There has been almost no overlap between the IPs adding and accessing the
feoidasf4e0_index.php file and the IPs adding and accessing the bajatax “hardfork” files. The single exception is the IP
126.96.36.199, which appears to be a third party opportunistically checking for the presence of both of these backdoors and then attempting to add a backdoor of its own, without much success. As more and more users update or remove the File Manager plugin, control of any infected sites will likely be split between these two threat actors.
In today’s article, we discussed the most common infections we’re seeing on sites where the File Manager vulnerability has been exploited as well as the predominant actors involved. We’ve also managed to link at least one of the attackers to a known threat actor and determine likely paths to monetization. If you or anyone you know has had a vulnerable version of the File Manager plugin installed, we urge you to scan your site for malware using a security solution such as Wordfence. If your site has been compromised by the “bajatax” threat actor, it is critical that you completely clean your site before contacting all of your users and advising them that their credentials may have been compromised, especially if you are running an e-commerce site.