PSA: Fake CVE-2023-45124 Phishing Scam Tricks Users Into Installing Backdoor Plugin
The Wordfence Threat Intelligence Team has recently been informed of a phishing campaign targeting WordPress users. The Phishing email claims to be from the WordPress team and warns of a Remote Code Execution vulnerability on the user’s site with an identifier of CVE-2023-45124, which is not currently a valid CVE. The email prompts the victim to download a “Patch” plugin and install it.
If the victim downloads the plugin and installs it on their WordPress site, the plugin is installed with a slug of wpress-security-wordpress and adds a malicious administrator user with the username wpsecuritypatch. It then sends the site URL and generated password for this user back to a C2 domain: wpgate[.]zip. The malicious plugin also includes functionality to ensure that this user remains hidden. Additionally, it downloads a separate backdoor from wpgate[.]zip and saves it with a filename of wp-autoload.php in the webroot. This separate backdoor includes a hardcoded password that includes a file manager, a SQL Client, a PHP Console, and a Command Line Terminal, in addition to displaying server environment information.