A recently discovered malware known as WP-antymalwary-bot.php poses a severe threat to WordPress sites. Defenders’ biggest problem is that they don’t realize it provides attackers access to the site’s dashboard as full-fledged administrators. The offensive plugin abuses the REST API to gain remote code execution. Consequently, malicious actors are able to perform damaging activities without the website owners’ knowledge. Security website administrators remain on high alert following this horrific find. The malware injects malicious PHP code into the theme’s header.php file and employs multiple methods as a rootkit to remain hidden.
The external plugin includes the option to clear the caches of popular caching plugins. This unique skill set further complicates detection efforts. The malware smartly camouflages itself from the dashboard of the admin. This creates a gap that makes it difficult for the end-user to identify and remove it. Security specialists have cautioned that if not adequately managed, WP-antymalwary-bot.php has the potential to cause severe damage, such as data breaches and unauthorized access.
Underlying Mechanisms of WP-antymalwary-bot.php
WP-antymalwary-bot.php operates with remarkable sophistication. Its primary use through the REST API allows remote code execution, allowing attackers to fully take over the website remotely. Malicious PHP code is then injected into the theme’s header file. This move ensures that the malware loads every time someone browses to the affected site. Additionally, it removes caches of popular caching plugins, making detection by security scanners more difficult.
Furthermore, the plugin includes backdoor functionality specifically meant to ensure continued access for attackers. By cloaking itself from the admin dashboard, it works under the radar, enabling further monetization of the infected site to the detriment of its owner.
“They’re trying to use your site’s resources to continue serving ads, and worse, they could be stealing your ad revenue if you’re using AdSense yourself.” – Puja Srivastava
The Node.js Backdoor and Its Implications
In a very concerning development, WP-antymalwary-bot.php also unpacks Node.js-based backdoors. These backdoors perform many nefarious functions, such as retrieving system information and providing remote access to attackers. They’re not coming empty-handed—they’re armed with a Node.js remote access trojan (RAT) that funnels malicious traffic though SOCKS5 proxies. This devious maneuver increases the malware’s chances of sneaking under the radar.
Once in place, these backdoors can remotely run any number of commands, including They join you to gamely and wildly suss out every inch of the potentially infected system. This ultimately guarantees that attackers have full reign over the remaining compromised environment.
“The JS script which was dropped in post-infection is designed as a multi-functional backdoor capable of detailed system reconnaissance, executing remote commands, tunneling network traffic (SOCKS5 proxy), and maintaining covert, persistent access.” – Reegun Jayapaul
Deceptive Techniques Employed by Attackers
Attackers behind WP-antymalwary-bot.php use fake CAPTCHA verifications as a redirection tactic. These deceptive prompts confuse users into downloading and running the Node.js-based backdoors, compromising their systems. As it is the case with inseparable techniques in Malevolent Trinity, this approach enables malware installation while making way for sensitive data theft.
The malware is also called addons.php, wpconsole.php, wp-performance-booster.php, scr.php among others. This impressive turnover of names makes it near impossible for webmasters to monitor and kill the menace.
“Pinging functionality that can report back to a command-and-control (C&C) server is also included, as is code that helps spread malware into other directories and inject malicious JavaScript responsible for serving ads.” – Marco Wotschka