Wordpress Sites Under Siege by Capoae Malware for Cryptocurrency Mining

 Threat researchers have discovered a new malware variant called Capoae that hackers are using to target WordPress sites and enslave them in a malicious network aimed at mining cryptocurrency.

What is the Threat?

Last week, Akamai security researcher Larry Cashdollar reported a new type of malware he witnessed targeting WordPress sites with easy-to-guess administrative credentials. Cashdollar explained, “The malware’s primary tactic is to spread by taking advantage of vulnerable systems and weak administrative credentials. Once they’ve been infected, these systems are then used to mine cryptocurrency.”

The Hacker News added: “The PHP malware — codenamed “Capoae” (short for “Сканирование,” the Russian word for “Scanning”) — is said to be delivered to the hosts via a backdoored addition to a WordPress plugin called “download-monitor,” which gets installed after successfully brute-forcing WordPress admin credentials. The attacks also involve the deployment of a Golang binary with decryption functionality, with the obfuscated payloads retrieved by leveraging the trojanized plugin to make a GET request from an actor-controlled domain.”

How Does it Work?

The Golang binary also exports “multiple remote code execution flaws in Oracle WebLogic Server (CVE-2020-14882), NoneCms (CVE-2018-20062), and Jenkins (CVE-2019-1003029 and CVE-2019-1003030) to brute force its way into systems running SSH and ultimately launch the XMRig mining software.”

The malware evades detection by choosing a legitimate-looking install path where it copies the files and then deletes itself. 

The report by Cashdollar mentions, “The Capoae campaign’s use of multiple vulnerabilities and tactics highlights just how intent these operators are on getting a foothold on as many machines as possible,” Cashdollar said. “The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here.”

How Can Website Owners Stay Safe?

The best way website owners can stay safe is to keep their websites updated with the latest security patches. Also, be sure to use long, strong passwords for your admin credentials. Update all plugins, apps, and installed software on the backend of the website. If you are in control of the server environment, set everything to maximum security and update all apps and operating systems to the latest version.

Another way to stay safe is to review access logs and look for changed files routinely. If you monitor your website regularly, you can catch and eliminate any threats before they become a more significant problem. Other tips include:

• Watch out for higher-than-average resource consumption. Slow performance and eating through resources are often telltale signs of malware using the site for malicious purposes.
• Keep regular backups in case you must restore the site to a pre-infection state.
• Check user logs for any suspicious activity.
• Check for unwanted and unrecognized programs or processes running on the server.
• Disable file editing on the server.
• Add two-factor authentication if possible.
• Install a security plugin and set it to maximum security. 
• Disable PHP file execution. 
• Limit login attempts on the website. This can prevent brute-force attacks where hackers attempt to log in using random passwords dozens of times.
• Change the WordPress database prefix.
• Password-protect your WP-Admin and Login files/folders.
• Turn off directory indexing and browsing.
• Set the server or website to log out inactive users automatically.
• Disable XML-RPC in WordPress.
• Scan WordPress frequently for malware or unrecognized files.

Website owners cannot do enough to keep their websites and visitors safe. Once a site has been hacked, it could be used as a vehicle to trap visitors to the site and turn them into victims as well.