Backdoor Found in Themes and Plugins from AccessPress Themes
Tags
| maec-delivery-vectors: | Watering Hole |
| attack-pattern: | Malicious File - T1204.002 Server - T1583.004 Server - T1584.004 |
Common Information
| Type | Value |
|---|---|
| UUID | 31c71441-4ee6-4199-9126-beac47c68ce3 |
| Fingerprint | 7f158203847527c9 |
| Analysis status | DONE |
| Considered CTI value | 0 |
| Text language | |
| Published | Jan. 18, 2022, 6:22 p.m. |
| Added to db | Jan. 18, 2023, 9:53 p.m. |
| Last updated | Nov. 18, 2024, 3:36 a.m. |
| Headline | Backdoor Found in Themes and Plugins from AccessPress Themes |
| Title | Backdoor Found in Themes and Plugins from AccessPress Themes |
| Detected Hints/Tags/Attributes | 37/2/12 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | CVE | 2 | cve-2021-24867 |
|
| Details | Domain | 141 | wordpress.org |
|
| Details | Domain | 1 | accesspressthemes.com |
|
| Details | Domain | 1 | www.wp-theme-connect.com |
|
| Details | File | 1 | inital.php |
|
| Details | File | 4 | vars.php |
|
| Details | File | 1 | wp-theme.jpg |
|
| Details | File | 37 | functions.php |
|
| Details | Url | 1 | https://accesspressthemes.com |
|
| Details | Url | 1 | https://www.wp-theme-connect.com/images/wp-theme.jpg |
|
| Details | Url | 1 | https://www.wp-theme-connect.com/images/wp-theme.jpg?ph= |
|
| Details | Yara rule | 1 | rule accesspress_backdoor_infection {
strings:
$inject0 = "$fc = str_replace('function wp_is_mobile()',"
$inject1 = "$b64($b) . 'function wp_is_mobile()',"
$inject2 = "$fc);"
$inject3 = "@file_put_contents($f, $fc);"
$payload0 = "function wp_is_mobile_fix()"
$payload1 = "$is_wp_mobile = ($_SERVER['HTTP_USER_AGENT'] == 'wp_is_mobile');"
$payload2 = "$g = $_COOKIE;"
$payload3 = "(count($g) == 8 && $is_wp_mobile) ?"
$url0 = /https?:\/\/(www\.)?wp\-theme\-connect\.com(\/images\/wp\-theme\.jpg)?/
condition:
all of ($inject*) or all of ($payload*) or $url0
} |