A new malware campaign is targeting WordPress administrators using a fake caching plugin to steal login credentials and compromise website security.
Fake Plugin Disguised as “wp-runtime-cache”
Security researchers discovered the plugin “wp-runtime-cache,” which appears legitimate but is actually a credential-stealing tool. Unlike standard caching plugins that contain multiple files, this malicious version includes only a single file: wp-runtime-cache.php.
Several warning signs distinguish it from genuine plugins. It lacks descriptions, author information, and URLs—details typically present in legitimate software. The code is packed with obfuscated base64 strings and oddly named variables like woocomHeic0971, pbes2PITR0339, and the notably suspicious infiltrateDocumentStore0460.
Credential Theft on Admin Login
The plugin hooks into WordPress using add_action('wp_login', 'octopusJson50286', 10, 2), activating on every login attempt. It targets users with elevated privileges by checking for admin (manage_options) and editor (edit_pages) roles, which are base64 encoded.
When a targeted user logs in, the plugin collects the username, password, anAd capability data, then transmits it to a remote server via wp_remote_post. The destination URL, decoded from base64, is https://woocommerce-check.com/report-to.
This malicious domain was registered in October 2024, with mismatched registration details suggesting possible fraud, listing an Arkansas address alongside a Hong Kong phone code.
Persistence and Evasion Tactics
To avoid detection, the plugin hides itself from the admin dashboard by using add_action('pre_current_active_plugins', 'pbes2PITR0339'). It also includes a hardcoded bypass hash, WsXZjIFxgnLnC5V, likely used by attackers to manage the infection without revealing the plugin to site administrators.
Recommended Defenses
To mitigate risks, administrators should:
- Conduct regular server-side malware scans to detect unauthorized uploads.
- Enable two-factor authentication or IP restrictions on login pages.
- Rotate WordPress salts in wp-config.php after any suspected breach to secure password hashes.
- Perform regular reviews of installed plugins and ensure passwords are strong and updated.
Maintaining strict security practices is crucial to prevent such advanced threats from compromising WordPress websites.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
