An unknown hacker introduced a backdoor into the source code of the WordPress plugin that masquerades as an anti-spam tool called X-WP-SPAM-SHIELD-PRO.
Apparently, the attacker tried to use the reputation of a popular tool to protect against spam WordPress WP-Spam Shield Anti-Spam. The fake plugin contains a backdoor allowing the hacker to create his own administrator account on the attacked site, upload files to the victim’s servers, disable all plug-ins, etc.
Malicious behavior extends to all files of a fake plugin. In particular, the file class-social-facebook.php disguises itself as a means of protection from spam in social networks and sends an attacker a list of user’s plug-ins and turns them off if necessary. The purpose of disabling all plug-ins is to deactivate all plug-ins blocking access to authorization functions or detecting unauthorized login attempts.
Files class-term-metabox-formatter.php and class-admin-user-profile.php send an attacker information about the version of WordPress and a list of all users with administrator rights.Plugin-header.php adds an account with administrator rights under the name mw01main.The wp-spam-shield-pro.php file is associated with a hacker’s server located on mainwall.org, informing him about the installation of a malicious plug-in by a new user. The information transmitted by this file includes the credentials, the URL of the infected site, and the IP address of the server. Wp-spam-shield-pro.php also contains malicious code that allows an attacker to download a ZIP-archive to the victim’s site, unpack it and execute the files stored inside.
As security experts from Sucuri believe, the attacker used a compromised version of the famous WordPress plug-in All In One SEO Pack to distribute the fake. The attacker did not publish the plugin in the official WordPress repository, distributing it through other sources.