Massive WordPress redirect campaign spotted targeting tagDiv themes and ultimate member plugins

News by Robert Abel

The main contributor to the infections are the two year old vulnerability in tagDiv themes and the newly discovered vulnerability in a popular Ultimate Member plugin.

Sucuri researchers have uncovered what they described as a massive WordPress redirecting campaign targeting vulnerable tagDiv themes and Ultimate Member plugins.

The main contributors to the infections are the two-year-old vulnerability in tagDiv's themes and the newly discovered vulnerability in a popular Ultimate Member plugin, which boasts 100,000+ active installations, according to a 22 August blog post.

"When redirected, users see annoying pages with random utroro[.]com addresses and fake reCAPTCHA images," researchers said in the post. "The messages and content try to convince visitors to verify and subscribe to browser notifications without disclosing the purpose of this behaviour."

The tagDiv themes vulnerability was patched shortly after it was discovered in 2017 and the Ultimate Member plugin was recently patched on 9 August, 2018. Many of the attacks were spotted in the wild before the patches were issued.

Threat actors probed the WordPress sites for the Ultimate Member plugin and then used the vulnerability to upload a fake image, usually an image file with added PHP code. The hackers then used this file to create a backdoor to inject a variety of malicious code into files on the server.

"Every few days, hackers return and reuse the n.php backdoor (or upload a new one) to reinfect websites with a new revision of the malicious code," researchers said in the post. "Because of the poor quality of the injector, you may find different versions of the malware sitting in the same file."

The attack is carried out by malware scripts injected from one of two sites with one being used in the initial stages of the campaigns and the other being introduced about a week later.

Researchers were able to analyse both malicious scripts due to poor coding on behalf of the threat actors who didn't remove the previously injected code when they reinjected the websites with the new version of the malware.

Researchers said successful infections will be limited to files that belong to one server account. However, if the account has more than one site, all the sites will be infected even if they don't have the Ultimate Member plugin or any vulnerable components adding that non-WordPress sites can also be infected in this process.

To prevent infection researchers are instructed to ensure they update all themes and plugins, clean and harden all the sites that share the same server account, and delete all PHP files in subdirectories in case of Ultimate Member exploitation.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop