Return of the City of Cron Malware Infections on Joomla and WordPress (May 27, 2019)
A persistent malware infection has been found in a shared hosting environment by Sucuri. The malware operates by detecting if the website is Joomla or WordPress by their directory structures, which it uses to determine which method to utilize in infecting the files. Using a backdoor cron job, the malware is still able to reinfect files, even after they have been cleaned. The files are stored in the /tmp directory which makes it harder to detect malicious files, as it is rarely scanned.
Recommendation: Malware authors are always innovating new methods of communicating back to the control servers. Always practice Defense in Depth (do not rely on a single security mechanisms - security measures should be layered, redundant, and failsafe)
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.