A fake WordPress plugin dubbed X-WP-SPAM-SHIELD-PRO containing a backdoor was spread by crooks abusing the popularity of WP-SpamShield Anti-Spam, a WordPress antispam tool.
The WP-SpamShield Anti-Spam plugin has over 100,000 installs for this reason attackers decided to abuse it.
Researchers with Sucuri that discovered that the X-WP-SPAM-SHIELD-PRO disable other plugins, even the ones used to protect the install, steal data, and add a hidden admin account.
The X-WP-SPAM-SHIELD-PRO features legitimate structure and file names, but that all of its contents are fake.
“In the case of the X-WP-SPAM-SHIELD-PRO plugin, we identified a legitimate structure and file names. We also found legitimate, “security-related” file names in the ./includes folder.” states the blog post published by Sucuri.
“After checking each of the files, the contents turned out to be simple hacktools serving the purpose of the attacker.”
The experts used as an example the class-social-facebook.php, while the name suggests it was used by the author to implements defense countermeasures against threats via Facebook, it was designed to list all of the active plugins and disable them.
