Stealthy Malware Targeting Wordfence

During a recent investigation into a compromised eCommerce website, a suspicious file modification was detected that coincided with the introduction of malware into the system. A file associated with WordFence, a popular security plugin for WordPress, had its size increased by a mere 39 bytes. An initial review did not reveal any obvious backdoor, which is commonly expected with such minor changes.

To pinpoint the exact modifications, a fresh copy of the WordFence plugin was downloaded for manual comparison. The team found that only two lines had been added to the file.

The first line, "@chmod(FILE, 0444);", changed the file permissions to read-only, preventing any further changes or updates. The second addition was a single "continue" statement, strategically placed within a while loop that processes each file on the filesystem during a scan. This placement caused the loop to skip processing entirely, effectively preventing the WordFence scanner from detecting any files.  This enabled the criminals to load malicious code elsewhere in the site that would not trigger an alert in Wordfence.

This incident underscores the importance of File Integrity Monitoring (FIM). Such subtle modifications might appear harmless and would likely evade detection by traditional malware scanners.  

However, with ThreatView Advanced, forensic-level analytics are built into the technology, enabling a full file change review within seconds.  As an example, here is a screenshot of a change comparison of code within a file with malware inserted:

Proactive security. Simplified.

TRY THREATVIEW ADVANCED

Article by Bhavin Patel, Foregenix Threat Intelligence Group

‍