Security researchers that the popular WordPress plugin and theme AccessPress were compromised, and their software replaced with backdoored versions. The compromise appears to have taken place in September of last year and was only recently made public.
Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites. The software from the official WordPress repository so far appears to have been unaffected, although the proactive measure has been taken to remove them until a proactive code review can be conducted.
The attackers placed PHP backdoors into many of the software components provided free of charge by the group. 40 themes were known to be affected as well as 53 plugins. The backdoor was quite simple but provided the attackers with full control over the victim’s websites. The first step they took was adding a new file initial.php into the main theme directory and including it in the main functions.php file.
The initial.php file includes a base64 encoded payload which writes a backdoor webshell into the ./wp-includes/vars.php file. The infection is calling to a malicious domain wp-theme-connect[.]com and echoing out the contents of an image file. The domain no longer appears to be resolving currently, but it was online long enough to serve its purpose.
When the payload is decoded and injected into the vars.php giving the attackers control over the environment and full backdoor access into the website. Interestingly, once the backdoor is installed on the target website the malware includes a self-destruct function which deletes the initial.php dropper file to cover its tracks and try to avoid detection.
If the victim website uses a security plugin that utilises core file integrity monitoring, changes to the core file vars.php should indicate it was modified. The attackers would have prepared some exciting new payload or malware, but it seems that the malware that found associated with this backdoor is more of the same: spam and redirects to malware and scam sites.
While checking the website cleanups associated with this vars.php backdoor, they found quite a few compromised sites that lined up with the same timeline for this hack. Some of the infected websites we found utilising this backdoor had spam payloads dating back nearly three years.