[color=#FF00]Link (Dangerous): [/color] http://aliciabayer.com/wordpress/wp-content/plugins/master_mkiaz5/
This attack results in defacing the WordPress site, disabling most or all installed plugins, and installing a payload onto the website which is a phishing attack that attempts to collect login information posing as a legitimate login to a well-known utility or financial institution. We have identified some commonalities among the exploits:
- Always targets the first configured user of a WordPress installation.
- First configured user is changed to username “hex” and password is changed to unknown string.
- All legitimately installed plugins are disabled.
- A new plugin is installed called “UBH CSU” which may allow shell access to the site (if allowed by server rules).
Some pictures:
VirusTotal → https://www.virustotal.com/gui/file/4eb36a7229f7a799ac321b989e12b4007df8d86057752cb182f409f32c4b4fec/details
Name → Sid Gifari
Credits:
medium.com,
isc.sans.edu