The compromised sites didn’t share the same vulnerable WordPress version or plugin, suggesting that the attackers may be exploiting weak credentials or using exploits for multiple vulnerabilities.
New payloads
The DoubleDonut Loader was observed delivering a new variant of Vidar Stealer, a well-known infostealer, that uses a dead drop resolver technique to retrieve its command-and-control configuration and dynamic API resolution.
In addition to Vidar, two previously undocumented infostealers have been observed, one written in .NET and one in C++. Rapid7 has named these new programs Impure Stealer and VodkaStealer and both use detection evasion techniques, including non-standard data encoding and symmetric encryption for command-and-control communications or sandbox environment detection using system and time-based checks.
Click Here For The Original Source.
