Fake WordPress Plugins on 6,000 Sites Prompt Users to Install Malware

Hackers are using stolen credentials to infect WordPress sites with bogus plugins that deliver malware and infostealers to end users via fake browser update prompts.

The malicious campaign, based on a new variant of the ClickFix fake browser update malware, has infected more than 6,000 sites with fake WordPress plugins since June 2024. Overall, ClickFix has now compromised more than 25,000 sites since August 2023, according to the GoDaddy security team.

Fake WordPress Plugins Tap Stolen Credentials

No known vulnerabilities are being exploited to deliver the bogus plugins; the hackers simply seem to be using stolen credentials.

“Log analysis reveals that the installation of counterfeit WordPress plugins did not directly exploit any known vulnerabilities within the WordPress ecosystem,” the GoDaddy advisory said. “Instead, attackers possessed legitimate WordPress admin credentials for each compromised site.”

The plugins are “designed to appear harmless to website administrators,” but site visitors could be shown fake browser updates and other malicious prompts.

The plugins inject malicious JavaScript that contains “a known variation of fake browser update malware that uses blockchain and smart contracts to obtain malicious payloads,” known as EtherHiding. When executed in the browser, the JavaScript delivers fake browser update notifications that guide users to install malware on their machines, typically remote access trojans (RATs) or info stealers like Vidar Stealer and Lumma Stealer.

Fake WordPress Plugins: Details and IoCs

The fake plugins use generic names such as “Advanced User Manager” or “Quick Cache Cleaner,” and their directories contain only 3 small files: index.php, .DS_Store, and a -script.js file with a variation typically based on the name of the plugin.

Those naming schemes led to the discovery of other malicious plugins:

Plugin name	Injected script
Admin Bar Customizer	admin-bar-customizer/abc-script.js
Advanced User Manager	advanced-user-manager/aum-script.js
Advanced Widget Manage	advanced-widget-manage/awm-script.js
Content Blocker	content-blocker/cb-script.js
Custom CSS Injector	custom-css-injector/cci-script.js
Custom Footer Generator	custom-footer-generator/cfg-script.js
Custom Login Styler	custom-login-styler/cls-script.js
Dynamic Sidebar Manager	dynamic-sidebar-manager/dsm-script.js
Easy Themes Manager	easy-themes-manager/script.js
Form Builder Pro	form-builder-pro/fbp-script.js
Quick Cache Cleaner	quick-cache-cleaner/qcc-script.js
Responsive Menu Builder	responsive-menu-builder/rmb-script.js
SEO Optimizer Pro	seo-optimizer-pro/sop-script.js
Simple Post Enhancer	simple-post-enhancer/spe-script.js
Social Media Integrator	social-media-integrator/smi-script.js

“The underlying plugin code remains deliberately simplistic to avoid raising red flags,” the advisory said. A hook for the wp_enqueue_scripts action is manipulated to load a harmful script from the plugin directory into WordPress pages.

.DS_Store is short for Desktop Services Store, hidden files that the macOS Finder application creates to store folder preferences. The fake plugin .DS_Store files don’t contain any information but can be used as an indicator of compromise (IoC):

• MD5: 194577a7e20bdcc7afbb718f502c134c
• SHA 256: d65165279105ca6773180500688df4bdc69a2c7b771752f0a46ef120b7fd8ec3

The script filenames contain identical content and can be identified by their hash:

• MD5: 602e1f42d73cadcd73338ffbc553d5a2
• SHA 256: a4ad384663963d335a27fa088178a17613a7b597f2db8152ea3d809c8b9781a0

Speculation About Stolen WordPress Credentials

The GoDaddy advisory notes that the presence of valid WordPress admin credentials suggests that the hackers used methods to obtain the credentials, such as brute-force attacks, phishing campaigns, or perhaps even malware or infostealer infections on the website admins’ computers.

The advisory didn’t say, but presumably multi-factor authentication would offer some protection against the stolen credentials being misused, along with other access controls such as device ID, health and location.