SiteLock has identified a new double threat malware called Tusayan that not only grants administrative privileges to the hacker, but also exposes the victim’s files publicly on the web.
The attacker starts off by injecting IndoXploit Shell, which is normally used to deface a website, but in this case the malware uses the shell kit to snatch the configuration files found in the content management system (CMS) under attack and saving them to a plain text file, SiteLock reported.
“While these text files may seem innocuous, they contain sensitive credentials that a hacker could use to access CMS-connected databases on target hosting accounts,” wrote SiteLock researcher Logan Kipp.
So far, SiteLock has identified the WordPress, Joomla and Magento content management systems as being vulnerable.
The code manages to stay hidden from many security programs, Kipp noted, suggesting cybersecurity teams manually add this piece of code to their security programs so it can identify an attack.