The Capoae malware installs a backdoor plugin on WordPress sites

Helga SmithSeptember 21, 2021Last Updated: September 21, 2021

48 1 minute read

Akamai experts write that Capoae malware infiltrates WordPress sites, installs a plugin with a backdoor on them, and then uses the system to mine cryptocurrency.

Expert Larry Cashdollar warns that the main tactic of such malware is spreading through vulnerable systems, as well as cracking unreliable administrator credentials. The studied sample of the malware Keshdollar named Capoae.

ASCII

download-monitor

This malware is delivered to hosts running WordPress via the download-monitor plugin with a backdoor, which cybercriminals install on sites after successfully brute-forcing credentials.

The attack also involves deploying a binary to Golang, whereby the obfuscated payload is retrieved via a GET request, which the malicious plugin makes to the attacker’s domain.

The malware can also decrypt and execute other payloads: basically, the Golang binary exploits various RCE vulnerabilities in Oracle WebLogic Server (CVE-2020-14882), NoneCms (CVE-2018-20062) and Jenkins (CVE-2019-1003029 and CVE-2019-1003030) in order to brute force and not only work its way into the system and ultimately launch the XMRig miner.

Attackers do not forget that they need to act unnoticed. To do this, they use the most suspicious-looking paths on the disk and directories where real system files can be found, and also create a file with a random six-digit name, which is then copied to another location (before deleting the malware after execution).

The use of multiple vulnerabilities and tactics in the Capoae campaign underscores how seriously the operators [of this malware] intend to gain a foothold in as many systems as possible. The good news is that the same security methods that we recommend for most organizations still work here. Do not use weak or default credentials for servers or applications deployed there. Make sure to keep your applications up to date with the latest security fixes and check them from time to timethe expert sums up.

Let me remind you that I also wrote that Researchers warned of new DarkRadiation ransomware.

The Capoae malware installs a backdoor plugin on WordPress sites

Akamai experts write that Capoae malware infiltrates WordPress sites, installs a plugin with a backdoor on them, and then uses the system to mine cryptocurrency.

Helga Smith

Leave a ReplyCancel reply

Remove BGZQ Ransomware Virus (+DECRYPT .bgzq Files)

Remove BGJS Ransomware Virus (+DECRYPT .bgjs Files)

Remove KAAA Ransomware Virus (+DECRYPT .kaaa Files)

Remove UAJS Ransomware Virus (+DECRYPT .uajs Files)

Remove UAZQ Ransomware Virus (+DECRYPT .uazq Files)

Remove VOOK Ransomware Virus (+DECRYPT .vook Files)

Remove LOOY Ransomware Virus (+DECRYPT .looy Files)

Remove KOOL Ransomware Virus (+DECRYPT .kool Files)

Remove NOOD Ransomware Virus (+DECRYPT .nood Files)

Remove WIAW Ransomware Virus (+DECRYPT .wiaw Files)

Remove WISZ Ransomware Virus (+DECRYPT .wisz Files)

Remove LKFR Ransomware Virus (+DECRYPT .lkfr Files)

Remove LKHY Ransomware Virus (+DECRYPT .lkhy Files)

Remove LDHY Ransomware Virus (+DECRYPT .ldhy Files)

Remove KVIP Ransomware Virus (+DECRYPT .kvip Files)

Akamai experts write that Capoae malware infiltrates WordPress sites, installs a plugin with a backdoor on them, and then uses the system to mine cryptocurrency.

Helga Smith

Grief ransomware threatens to destroy victims' data if they turn to negotiators

Cring ransomware operators exploit 11-year Adobe ColdFusion vulnerability

Leave a ReplyCancel reply

Related Articles

New Version of Magniber Ransomware Threatens Windows 11 Users

GoodWill Extortionist Forces Victims to Good Deeds

Russian Fronton Botnet Can Do Much More than Massive DDoS Attacks

Microsoft Warns of Increased XorDdos Malware Activity