
Capoae Malware Installs a Plugin with a Backdoor on WordPress Sites
During cyberattacks on WordPress installations, a new type of malware for mining cryptocurrencies was discovered.
Cybersecurity experts have named the malware “Capoae.” It is written in the Go programming language, which has become popular among attackers due to its simple reusable cross-platform code running on Windows XNUMX, Linux, macOS, and Android.
Chinese hackers have already attacked Linux. Find the details here.
How does the malware work?
Capoae malware follows web servers and tries to exploit several known vulnerabilities to obtain credentials and permissions.

The latest Capoae malware campaign targets two major vulnerabilities:
- CVE-2020-14882 — affects legacy versions of Oracle WebLogic Server and leads to remote code execution (RCE).
- CVE-2018-20062 — affects ThinkPHP, and also allows attackers to execute remote code.
Apart from these known exploits, the criminals behind Capoae malware also use brute force to target servers with unreliable credentials.
In one of the vulnerable systems, the payload was delivered using a malicious plugin that the attackers installed thanks to stolen credentials. Additionally, a faulty add-on, called Download-monitor, affects the installation of WordPress.
Learn more about malware and its main types here.
Capoae malware features
The purpose of this threat is to deploy a payload that brings a modified copy of the XMRig cryptocurrency miner. This particular software is the favorite among cybercriminals who seek to perform cryptojacking operations. It uses the resources of the infected server to mine the Monero cryptocurrency.
However, resetting the miner is not the end of the attack. Capoae Malware also deploys web shells that give the attacker more control over the server. Criminals can use infected web servers and WordPress installations to scan the internet in search of new potential victims.
To protect yourself from Capoae malware, you need to use reliable security features as well as reliable credentials. Of course, installing the latest updates for all software connected to the internet is also a must to reduce the risk of attacks.
New tactics
Larry Cashdollar, an experienced vulnerability specialist, shared details about Capoae, which is especially interesting because it uses a lot of vulnerabilities to occupy a niche in WordPress installations and intelligently reuse them for mining cryptocurrencies using the software.

Cashdollar has captured Capoae with bait to attract PHP malware. The malware infiltrated the server, brute-forcing the pathetic WordPress admin credentials to install a corrupted WordPress plugin called Download-monitor as a backdoor.
Having studied the logs of access to the baits and the malware itself, the scientist was able to determine its attack mode.
This analysis showed that Capoae used at least four different hidden code execution vulnerabilities (RCE) in Oracle WebLogic Server, one in ThinkPHP, and some in Jenkins.
After detecting the new malware, Cashdollar asks every WordPress administrator to check for the intensive use of system resources on their servers, unrecognizable system processes and registry entries, or controversial tools such as suspicious files and SSH keys, which are more common signs of intrusion.
“The good news is that exactly the same methods are used here that we advise most organizations to ensure the security of systems and networks. Do not use weak credentials or default credentials for servers or embedded applications. Be sure to update these embedded applications with the latest security fixes and check them several times,” concludes Cashdollar.
If you’ve missed 10 cybersecurity myths, you can find them here.