Fresh Wave Of Websites Hit With “Panama Papers” Malware Disguised As SEO Plugin

by Samuel Abasi Last updated on April 15th, 2017,

Fresh Wave Of Websites Hit With “Panama Papers” Malware Disguised As SEO Plugin. Malware masquerading itself as an SEO plugin called WP-Base-SEO has infected close to 4,000 WordPress sites in the past two weeks, according to security experts. The intent of the hackers behind the malware is to hide in plain sight, appearing as legitimate SEO plugin, at the same time creating a backdoor to the targeted WordPress account.

“They have stolen the code from an existing SEO plugin and tweaked it to appear as legitimate. That way, should a WordPress site owner poke around and look for suspicious activity, they might easily overlook it as a legitimate SEO plugin,” said Weston Henry, lead security analyst at security firm SiteLock, that found the bogus plugin. The fake WP-Base-SEO plugin is a forgery of a legitimate search engine optimization plugin, WordPress SEO Tools.

The means in which the plugin is being installed is likely via mass automated scanning of WordPress sites where attackers are looking for outdated plugins or WordPress themes, Henry said. A disproportionate number of infections are on WordPress installations running an outdated version of the WordPress slideshow plugin called RevSlider.

RevSlider is a popular WordPress plugin that has been tied to a number of high-profile site compromises over the past several years.

In April 2016, an out-of-date version of RevSlider was blamed for the massive 2.5 terabyte data leak known as the “Panama Papers.”

In July, attackers targeted WordPress websites running the RevSlider planting the Neutrino Exploit Kit on webpages that attempted to install the CryptXXX ransomware on visitors.

“We think RevSlider is just a part of the mix when it comes to what vulnerabilities these adversaries are looking to exploit. It could also be they are using stolen credentials or they are using brute-force password attacks against these sites,” Henry said.

A closer examination of the fake WP-Base-SEO malware reveals its malicious intent in the form of a base64 encoded PHP eval request, according to a technical blog that examines the plugin. “Eval is a PHP function that executes arbitrary PHP code. It is commonly used for malicious purposes and recommends against using it,” SiteLock said.

Malicious content was found in /wp-content/plugins/wp-base-seo/wp-seo-main.php. “At first glance, the file appears to be legitimate, including a reference to the WordPress plugin database and documentation on how the plugin works,” according to the SiteLock.

Researchers focused on two files located in the malicious WP-Base-SEO plugin directory.

“(There is) wp-seo.php, which includes the require_once for the second file, wp-seo-main.php. Wp-seo-main.php uses different function and variable names depending on the install, like wpseotools_on_activate_blog vs. base_wpseo_on_activate_blog, and wp_base vs. base_wp_base,” wrote researchers.

“This means that anytime the theme is loaded in a browser, the request is initialized,” SiteLock said.

According to SiteLock’s analysis, the fake plugin’s obfuscation techniques have been largely successful, up until this point. When researching past instances of WP-Base-SEO infections, SiteLock said the plugin has managed to fly under the radar of many malware scanners. “This highlights the critical need for web application security, including a malware scanner that can identify vulnerabilities and automatically remove malware,” SiteLock wrote.

In addition to scanning, Henry said site administrators need to be familiar with files associated with their WordPress install and make sure they have an inventory of plugins. “It bears repeating, it’s super important to keep your WordPress plugins and themes up to date,” he said.

The Panama Papers are an unprecedented leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca. The records were obtained from an anonymous source by the German newspaper Süddeutsche Zeitung, which shared them with the International Consortium of Investigative Journalists (ICIJ). The ICIJ then shared them with a large network of international partners, including the Guardian and the BBC.

The documents show the myriad ways in which the rich can exploit secretive offshore tax regimes. Twelve national leaders are among 143 politicians, their families and close associates from around the world known to have been using offshore tax havens.

The leak is one of the biggest ever – larger than the US diplomatic cables released by WikiLeaks in 2010, and the secret intelligence documents given to journalists by Edward Snowden in 2013. There are 11.5m documents and 2.6 terabytes of information drawn from Mossack Fonseca’s internal database.

A $2bn trail leads all the way to Vladimir Putin. The Russian president’s best friend – a cellist called Sergei Roldugin – is at the centre of a scheme in which money from Russian state banks is hidden offshore. Some of it ends up in a ski resort where in 2013 Putin’s daughter Katerina got married.

Some of the other national leaders mentioned in the leaks are  Present US President Donald Trump, Chinese leader Xi Jinping, Nawaz Sharif, Pakistan’s prime minister; Ayad Allawi, ex-interim prime minister and former vice-president of Iraq; Petro Poroshenko, president of Ukraine; Argentina President Mauricio Macri, Alaa Mubarak, son of Egypt’s former president, Saudi Arabia King Salman bin Abdulaziz bin Abdulrahman Al Saud, the prime minister of Iceland, Sigmundur Davíð Gunnlaugsson and the father of British prime minister David Cameron.

The Panama Papers claimed their first high-profile victim when  the prime minister of Iceland. Sigmundur Gunnlaugsson,  resigned just two days after a massive leak of documents for Panamanian law firm Mossack Fonseca revealed that he was hiding millions of dollars in assets an offshore account that he owned with his wife.

Leave a Reply