Attackers Fight for Control of Sites Targeted in File Manager Vulnerability

Last week, we covered a vulnerability in the File Manager plugin installed on over 700,000 WordPress sites. By Friday, September 4, 2020, we recorded attacks on over 1.7 million sites, and by today, September 10, 2020 the total number of sites attacked has increased to over 2.6 million. We’ve seen evidence of multiple threat actors taking part in these attacks, including minor efforts by the threat actor previously responsible for attacking millions of sites, but two attackers have been the most successful in exploiting vulnerable sites, and at this time, both attackers are password protecting vulnerable copies of the connector.minimal.php file.

An early bird stealing passwords

Our site cleaning team has found numerous indicators that the most active of these attacks are the work of a Moroccan threat actor known as “bajatax” which has historically stolen credentials from PrestaShop sites. These indicators include simple files containing only the string “bajatax” as well as modifications to the original vulnerable connector.minimal.php file designed to lock out all other attackers, containing a $content="by bajatax” line of code. Logs from infected sites indicate these files are being added by some of the most active attacking IPs, and we were able to verify that this threat actor is behind the hardfork.php and hardfile.php IOCs mentioned in our initial post. This attacker was the first to attack this vulnerability at scale.

Once a site is infected, the “bajatax” attacker adds malicious code that uses the Telegram messenger’s API to exfiltrate the credentials of any user logging into the site. This code is added to the WordPress core user.php file. If WooCommerce is installed, the wc-user-functions.php and class-wc-form-handler.php files will also be modified to exfiltrate user credentials. These credentials could then be resold or used to gain access to other accounts using the same credentials.

We’ve found IOCs from this threat actor on a substantial number of sites. Despite this attacker’s efforts to lock out other hackers, they haven’t always managed to get their foot in the door first, but we’ve seen them make regular attempts to update the passwords on both the vulnerable connector.minimal.php file and on other files they’ve added to allow additional upload capability, while leaving the credential scraping functionality in place which consistently sends to the same Telegram chat ID of 1110165405.

Our Threat Intelligence team has been hard at work adding malware signatures to detect Indicators of Compromise by the bajatax threat actor, and these have been available to Wordfence Premium users starting September 8, 2020. These signatures will be released to sites still using the free version of Wordfence after 30 days, starting October 8, 2020.

A second attacker scattering backdoors

The most prevalent single indicators of compromise we found are an infector, feoidasf4e0_index.php, with an MD5 hash of 6ea6623e8479a65e711124e77aa47e4c, and a backdoor inserted by this infector. In this case we are providing the MD5 hash since this file is extremely consistent, and as such the MD5 can be a useful indicator of compromise.

This attacker is using the mkfile method outlined in our initial article rather than the upload method favored by the “bajatax” threat actor. This attacker is also adding password protection to the vulnerable connector.minimal.php file in an effort to lock out other attackers, though our attack data indicates this threat actor is using a consistent password.

The feoidasf4e0_index.php file inserts two copies of the second backdoor with randomized filenames ending in _index.php whenever it is accessed. One copy is placed in the webroot, and one in a randomized writable folder on the site. Both backdoors have the same MD5 of 3f60851c9f7e37c0d8817101d2212c68. While the backdoor in question has been in use for several years, the fact that multiple copies might be scattered across an infected site would help this attacker maintain persistence in the absence of a thorough scanning solution. We’ve also seen additional copies of this backdoor with different MD5 hashes added by this attacker; these are simply the most common variants.

Once these backdoors are in place, the attacker is using them to make additional modifications to core WordPress files, in some cases by using obfuscated code to include separate backdoors disguised as .ico files. While the prevalence of the feoidasf4e0_index.php file appears to be declining, the secondary backdoors added by this file are still extremely common, indicating that this attacker has managed to achieve some degree of persistence.

The feoidasf4e0_index.php file itself appears to be a very slightly modified version of an infector used in previous campaigns that primarily added cryptominers and SEO spam to various sites, so these are viable monetization routes for this threat actor, though they could also simply lease access to a botnet of infected sites under their control.

Other actors abound

Our site cleaning team has cleaned a number of sites compromised by this vulnerability, and in many cases, malware from multiple threat actors is present. The aforementioned threat actors have been by far the most successful due to their efforts to lock out other attackers, and are collectively using several thousand IP addresses in their attacks. Nonetheless, we’ve seen attacks against this vulnerability from over 370,000 separate IP addresses.

There has been almost no overlap between the IPs adding and accessing the feoidasf4e0_index.php file and the IPs adding and accessing the bajatax “hardfork” files. The single exception is the IP 51.83.216.204, which appears to be a third party opportunistically checking for the presence of both of these backdoors and then attempting to add a backdoor of its own, without much success. As more and more users update or remove the File Manager plugin, control of any infected sites will likely be split between these two threat actors.

Conclusion

In today’s article, we discussed the most common infections we’re seeing on sites where the File Manager vulnerability has been exploited as well as the predominant actors involved. We’ve also managed to link at least one of the attackers to a known threat actor and determine likely paths to monetization. If you or anyone you know has had a vulnerable version of the File Manager plugin installed, we urge you to scan your site for malware using a security solution such as Wordfence. If your site has been compromised by the “bajatax” threat actor, it is critical that you completely clean your site before contacting all of your users and advising them that their credentials may have been compromised, especially if you are running an e-commerce site.

The post Attackers Fight for Control of Sites Targeted in File Manager Vulnerability appeared first on Wordfence.

More great articles

Stored XSS in Elementor

During a routine audit of WordPress plugins last december, we discovered a Stored XSS vulnerability in the very popular Elementor…

Read Story

Wordfence Intelligence Weekly WordPress Vulnerability Report (September 4, 2023 to September 10, 2023)

Last week, there were 107 vulnerabilities disclosed in 89 WordPress Plugins and 5 WordPress themes that have been added to…

Read Story

SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin

On March 4, 2021, the Wordfence Threat Intelligence team initiated responsible disclosure for a Time-Based Blind SQL Injection vulnerability discovered…

Read Story

Emergency WordPress Help

One of our techs will get back to you within minutes.