Thousands of WordPress sites hacked by ‘back door’ bandits.

Apr 25 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that sounds the #emergencyalert on cybercrime.

Today’s hottest cyber security stories:

  • Thousands of WordPress sites hacked by ‘back door’ bandits
  • Ransomware: forget BYOB; this is BYOVD. U wot m8?
  • AI Technology: Google follows suit, launches AI-powered security tool


Sucuri has revealed a report that shows how crafty threat actors are using an old and legit WordPress plugin called Eval PHP to secretly backdoor websites as part of their ongoing campaign.

Released by a developer named flashpixx, this plugin allows users to insert PHP code into pages and posts of WordPress sites that executes every time someone opens the post in their web browser.

Although the plugin hasn’t been updated in 11 years, it’s still installed on over 8,000 websites, and the number of downloads has skyrocketed from one or two on average to 6,988 on March 30, 2023.

It was downloaded a whopping 2,140 times on April 23, 2023, alone, and the plugin has racked up 23,110 downloads over the past seven days.

According to Sucuri, some infected websites’ databases were found injected with malicious code into the “wp_posts” table, which stores a site’s posts, pages, and navigation menu information. Interestingly, the requests originate from three different IP addresses based in Russia.

“This code is quite simple: It uses the file_put_contents function to create a PHP script into the docroot of the website with the specified remote code execution backdoor,” security researcher Ben Martin said.

Update, WordPress users. Don’t hesitate!


It was only a matter of time, wasn’t it? The return of the ransomware! Well, it never really went away, did it? Let’s have a look at what makes this latest attack worthy of our attention.

So, this latest defence evasion tool is called “AuKill” and it’s being used by some mischievous threat actors to disable endpoint detection and response software.

The cyber-sleuths have been analysing these incidents and found that since the start of 2023, this tool has been used to deploy some ransomware strains, like the infamous Medusa Locker and LockBit.

“The AuKill tool abuses an outdated version of the driver used by version 16.32 of the Microsoft utility, Process Explorer, to disable EDR processes before deploying either a backdoor or ransomware on the target system,” Sophos researcher Andreas Klopsch said in a report published last week.

They’ve identified six different versions of this malware so far, and get this, the oldest sample goes way back to November 2022.

These sneaky cyber-baddies are using a technique called BYOVD to misuse a legitimate but outdated and exploitable driver signed by Microsoft.

That stands for Bring Your Own Vulnerable Driver. Not quite as fun of a premise as Bring Your Own Booze but oh well.

FYI, they’re also stealing or leaking certificates to gain elevated privileges and turn off security mechanisms.

It’s like they’re using a skeleton key to unlock all the doors! By using these valid but vulnerable drivers, they’re bypassing a key Windows safeguard known as Driver Signature Enforcement.

“The AuKill tool requires administrative privileges to work, but it cannot give the attacker those privileges,” Klopsch noted.

“The threat actors using AuKill took advantage of existing privileges during the attacks, when they gained them through other means.”

And this isn’t the first time these cyber-crooks have weaponized the Microsoft-signed Process Explorer driver. Back in November 2022, Sophos detailed how LockBit affiliates used an open-source tool called Backstab to terminate anti-malware processes.

And just when you thought they couldn’t get any sneakier, a malvertising campaign was spotted earlier this year that was utilising the same driver to distribute the FormBook info-stealing malware.

It never ends!


It was bound to be only a matter of time before Google threw its [white] cap (geddit?) into the ring, so to speak, with regard to the AI-assisted cybersecurity game. It follows in the footsteps of Microsoft, Samsung, and many others who’ve already launched AI security tools.

Introducing Google Workbench

Google’s cloud division has launched Security AI Workbench, which utilises generative AI models to gain a better understanding of the threat landscape.

The cybersecurity suite is powered by Sec-PaLM, a large language model fine-tuned for security use cases, to augment incident analysis, threat detection, and analytics, with the aim of countering and preventing new infections by providing trusted, relevant, and actionable intelligence.

The Security AI Workbench offers a range of AI-powered tools, including VirusTotal Code Insight and Mandiant Breach Analytics for Chronicle, to analyse potentially malicious scripts and notify customers of active breaches in their environments.

Users can interactively search, analyse, and investigate security data, similar to Microsoft’s GPT-4-based Security Copilot, to reduce mean time-to-respond and determine the full extent of events quickly. 

Let the AI security cybersecurity wars commence!

So long and thanks for reading all the phish!

Recent articles