Fake WordPress plugins appear to be trending as an effective way of establishing a foothold on compromised websites.
During a recent investigation, we discovered a fake component which was masquerading as a legitimate plugin. Named SiteSpeed, it contained a lot of interesting malicious capabilities.
The malicious plugin can be used by the attacker to display ads on the website. To avoid detection and target specific website visitors, the plugin has many functions to check the user-agent, referrer, and the IP of the user accessing the page.