The Fake “HTTP2 Basic Cache Engine” Plugin and its Variations
A sophisticated malware campaign is currently sweeping through the WordPress ecosystem. Thomas Johnson, our Security researcher, identified a malicious injector being deployed across more than 5,000 different websites files, leveraging compromised administrative credentials to install a fraudulent plugin and redirect user traffic. And this was also reported by our friend Eugene Wozniak from Kinsta.
The Attack Vector: Fake "HTTP2 Basic Cache Engine" Plugin
The attack begins with the unauthorized access of WordPress admin accounts. Once inside, the attackers install a plugin titled "HTTP2 Basic Cache Engine." While the name sounds like a legitimate performance optimization tool, its sole purpose is to drop a heavily obfuscated JavaScript backdoor into the site’s core files and database.
How the Infection Works
1. Avoidance Logic (The "Stealth" Phase)
Before doing anything, the script checks if it should "hide." It will stop immediately if:
You are an Admin: It checks document.cookie for wordpress_logged_in_. If you are logged in, it does nothing so the site owner doesn't notice.
You are a Bot: It checks the userAgent for strings like bot, spider, crawl, baidu, or semrush. It doesn't want search engines to flag the site.
The Page is Technical: It checks the URL for things like wp-admin, wp-login.php, .xml, robots.txt, or .js files. It only wants to run on the actual frontend viewed by regular users.
2. The Target List (C2 Servers)
The script contains a hidden list of Base64 encoded URLs. When decoded, these are the domains it tries to contact:
hxxps://govearali[.]org/jsrepo?rnd=hxxps://ligovera[.]shop/jsrepo?rnd=hxxps://alianzeg[.]shop/jsrepo?rnd=hxxps://getalia[.]org/jsrepo?rnd=hxxps://ztdaliweb[.]shop/jsrepo?rnd=
3. The Payload Execution
If the "Stealth" checks pass, the script does the following:
1. Generates a request: It picks one of the URLs above and adds a random number and a timestamp (&ts=) to bypass caching.
2. Fetches external code: It uses XMLHttpRequest (AJAX) to silently download code from that external server.
3. Injects the code: It creates a new <script> element on your webpage and puts the downloaded code by hooking into the wp_footer hook.
4. Self-healing: If the first URL fails (e.g., the domain was taken down), it automatically tries the next one in the list.
What is the Goal?
Because this script is a "loader," the actual damage depends on what the external server sends back. Typical outcomes for this specific malware family include:
- Malicious Redirects: Sending your site visitors to scam sites or "You won an iPhone" pages.
- Ad Injection: Placing invisible ads on your site to steal revenue.
- Credential Stealing: Injecting fake login forms to steal passwords.
IoCs
The attack infrastructure relies on a specific set of domains used to host the malicious payloads. If you see outbound requests to any of the following, your site is likely compromised:
goveanrs[.]orggovearali[.]orgligovera[.]shopalianzeg[.]shopgetalia.orgztdaliweb[.]shop
Our telemetry has traced the deployment of this fake plugin to these IP addresses:
104[.]207[.]47[.]235209[.]50[.]185[.]2140[.]235[.]171[.]11231[.]134[.]15[.]4831[.]134[.]6[.]61140[.]235[.]0[.]2545[.]135[.]3[.]24331[.]134[.]15[.]201199[.]96[.]166[.]11631[.]134[.]12[.]228140[.]235[.]169[.]8091[.]218[.]122[.]222
We observed all the following file paths of the same infection that render different variations of this same infection:
./http2-cache-engine/http2-cache-engine.php./ajax-label/wpbasiccaheengine.php./cacheengine/cacheengine.php./wpbasiccaheengine.php (placed in different plugin folders)./httpsd2-cache-engine/httpsd2-cache-engine.php./profile-phpmyadmin/wpbasiccaheengine.php./cacheengine/cacheengine.php
Note: The specific IP addresses & domains provided above are the ones observed during the investigation. Specific, actionable IPs & domains should be validated with your threat intelligence feeds.
