The NCSC has observed a number of WordPress websites which appear to be compromised. These compromises match the Tactics, Techniques and Procedures used in order to distribute SolarMarker malware.

SolarMarker has two major capabilities, it installs a backdoor or an infostealer as soon as the victim runs the payload. Both SolarMarker’s modules can damage organisations as the backdoor can be leveraged by an attacker to deploy additional malware or steal sensitive information. The threat actors behind this malware have been observed primarily delivering payloads via two methods:

1. Google Groups pages
2. In this case, compromised WordPress websites are used. The malicious download lures are uploaded through the Formidable plugin with the following path "/wpcontent/uploads/formidable/*.pdf", which is the default file uploads page

These compromised WordPress websites are hosting a number of malicious files which may be used during the SolarMarker infection process. If you are hosting a website that uses WordPress and in particular WordPress websites that use the Formidable plugin.

Please check your systems to ensure that compromise of your system has not occurred. 

More information is available in a document issued by the NCSC: https://www.ncsc.gov.ie/pdfs/SolarMarker-WordPress-Compromise.pdf