WordPress sites hit by malvertising

An old piece of malware is storming the WordPress community, enabling its perpetrators to take control of sites and inject code of their choosing.

According to WordPress security company Wordfence, which published a detailed white paper on the malware earlier this week, WP-VCD isn’t a new piece of malware. It dates back to February 2017, but it has recently become even more successful. The company says that it has topped their list of WordPress malware infections since August this year. New features have been added to the malware, but its core functions have remained the same.

The malware spreads through pirated versions of WordPress themes and plugins that the attackers distribute through a network of rogue sites.

If administrators looking for free WordPress functionality download these assets and use them in their own WordPress sites, then they’ve essentially infected their own servers.

This is an ingenious attack vector because the criminals distributing the plugins don’t have to worry about finding new exploits in WordPress code or hacking legitimate extensions. Instead, as Wordfence explains, the crooks are exploiting human greed:

The campaign’s distribution doesn’t rely on exploiting new software vulnerabilities or cracking login credentials, it simply relies on WordPress site owners seeking free access to paid software.

Once it has infected one site, the malware then installs a backdoor for its operators and communicates with its command-and-control (C2) server before spreading to others hosted in the same infrastructure. Finally, it removes the malicious code in the installed plugin to cover its tracks.

The backdoor lets the attackers update the site with new malicious code, which makes money for its criminal peddlers in two ways. First, it uses search engine poisoning techniques to manipulate search results and lure unsuspecting users to malicious sites.

Second, it pushes malicious adverts (malvertising) into the pages that victims visit, enabling the attackers either to inject rogue JavaScript into their browsers, or to redirect them to other websites.

Why has the WP-VCD WordPress malware been so effective? Wordfence explains that its attackers can use infected sites to propagate their malware:

Malvertising code is deployed to generate ad revenue from infected sites, and if the influx of new WP-VCD infections slows down, the attacker can deploy [search poisoning] code to drive up search engine traffic to their distribution sites and attract new victims.

The WP-VCD malware is tricky to clean because it injects malicious code into other files on the system, and keeps an eye on infected files to reinfect them automatically if the admin tries to clean them up.

What to do?

Naked Security’s plugin advice for WordPress administrators is:

  • Minimise the number of plugins you have. Always remove plugins if you aren’t using them any more. Keep your attack surface area as small as you can.
  • Keep your plugins up to date. Blogging software such as WordPress can keep itself updated, but you need to keep track of the plugins yourself.
  • Get rid of plugins that aren’t getting any more love and attention from their developers. Don’t stick with ‘abandonware’ plugins, because they’ll never get security fixes.
  • Learn what to look for in your logs. Know where to go to look for a record of what your web server, your blogging software and your plugins have been up to. Attacks often stand out clearly and early if you know what to look for, and if you do so regularly.

Oh, and don’t steal software.

Technically, there’s no reason why pirating software should be more dangerous than acquiring it lawfully – an exact copy is, after all, an exact copy. But the shady nature of rogue software download sites means that the only thing you can be sure of is that you’re dealing with crooks.