Description
During the investigation of a compromised website, investigators stumbled upon some suspicious code in a theme by AccessPress Themes. AccessPress Themes also known as Access Keys is a vendor with many popular themes and plugins. Hackers breached AccessPress Themes website to infect websites of customers using their themes and plugins in early September 2021.
Summary
Further investigations into the vendors website uncovered that all the themes and most plugins contained the exact suspicious code. It was also discovered that the suspicious code was only found in themes and plugins if downloaded from AccessPress Themes website, but the exact themes and plugins were clean when downloaded and installed directly from WordPress.org directory.
How it works
It was found that the compromised themes and plugins had a dropper for a webshell that gives the hackers full access to the infected websites. The dropper can be found in the file inital.php located in the main plugin or theme directory. When running it installs a cookie based webshell in wp-includes/vars.php. The shell is installed as a function just in front of the wp_is_mobile() function with the name of wp_is_mobile_fix(). This is to not raise any suspicion to anybody casually scrolling through the vars.php file.
After installation, the dropper will phone home by loading a remote image from the URL hxxps://www.wp-theme-connect.com/images/wp-theme.jpg with the URL of the infected site and information about which theme it uses as query arguments. It will then remove the dropper source file to avoid detection after execution.
The webshell itself triggers if the user agent string in the request is wp_is_mobile and the request contains eight specific cookies. It pieces together and executes a payload from these supplied cookies.
An older variant of the backdoor was discovered directly embedded in the theme/plugins functions.php file. This variant uses the same mechanism with
piecing together the payload from eight cookies but does not filter on the requests user agent string.
To ensure that the dropper is executed, the main plugin file for plugins or the functions.php file for themes have been modified with code to execute the inital.php file if it exists.
Remediation
Most of the plugins have since been updated. However, the affected themes have not been updated, and are pulled from the WordPress.org theme repository. A list of the updated plugins and affected themes can be found at the following URL:
https://wpscan.com/vulnerability/9c76bada-fa32-4c2f-9855-d0efd1e63eff
Since these plugins and themes are clean when downloaded directly from the wordpress.org directory, users are asked to remove the bugged themes and plugins and install them directly from the wordpress.org directory.
The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.
PDF Download: Backdoor in AccessPress Themes and Plugins.pdf
References
Eilertsen, H. (18th January 2022). Backdoor Found in Themes and Plugins from AccessPress Themes. Retrieved from
https://jetpack.com/2022/01/18/backdoor-found-in-themes-and-plugins- from-accesspress-themes/
Backdoored Plugins & Themes from AccessPress Themes. Retrieved from
https://wpscan.com/vulnerability/9c76bada-fa32-4c2f-9855-d0efd1e63eff