Hackers are creating backdoor accounts and cookie files on WordPress sites running OneTone

Attacks began earlier this month after WordPress theme developer did not release a patch for a trivial bug.
Written by Catalin Cimpanu, Contributor
Image via The Creative Exchange

Hackers are actively targeting WordPress sites running the OneTone theme to exploit a vulnerability that allows them to read and write site cookies and create backdoor admin accounts.

The campaign has been going since the start of the month, and it's still underway.

The vulnerability is a cross-site scripting (XSS) bug in OneTone, a popular but now deprecated WordPress theme developed by Magee WP, available in both free and paid versions.

Vulnerability left unpatched

The XSS vulnerability allows an attacker to inject malicious code inside the theme's settings. The bug was discovered by NinTechNet's Jerome Bruandet in September last year and reported to the theme author and WordPress team.

Magee WP, whose website has not received any updates since 2018, did not release a fix. Following Magee's failure to patch, the WordPress team delisted the free version of the theme from the official WordPress repository a month later, in October 2019.

Attackers began exploiting this bug earlier this month, according to a report from GoDaddy-owned cyber-security firm Sucuri.

Sucuri experts say hackers have been using the XSS bug to insert malicious code inside the OneTone theme settings. Since the theme checks these settings before any page load, the code triggers on every page of a vulnerable site.

Stealing traffic and creating backdoor accounts

Sucuri's Luke Leal says the code has two primary functions. One is to redirect some of the site's incoming users to a traffic distribution system hosted at ischeck[.]xyz, while a second function creates backdoor mechanisms.

However, the backdoor mechanism is dormant for most users visiting the site. It only triggers when the site administrators visit the site.

The malicious code can recognize site administrators visiting the site from regular users because it looks for the presence of the WordPress admin toolbar at the top of the page, which appears only for logged-in administrators.

Image: Sucuri

Once it detects an admin-level user, the XSS-inserted malicious code performs a series of silent automated operations, leveraging the admin user's access, without their knowledge.

Leal says backdoors are created in two ways -- by adding an admin account in the WordPress dashboard (a user named system) or by creating an admin account-level cookie file on the server-side (the cookie file named Tho3faeK).

The role of the two backdoors is to grant the attacker access to the site in case the XSS code is removed from the OneTone settings, or the XSS OneTone vulnerability is fixed.

Sadly, it looks like a fix will never be available. Despite being notified last year, the company did not respond to a request for comment from Sucuri two weeks ago, and it did not respond to a similar email sent by ZDNet last week.

Attacks targeting OneTone sites are still ongoing. Two weeks ago, Sucuri reported that more than 20,000 WordPress sites were running an OneTone theme.

Today, the number has gone down to under 16,000, as site owners started migrating to other themes in light of the currently ongoing hacks.

What's in a name? These DevOps tools come with strange backstories

Editorial standards