More than 20,000 WordPress sites have been trojanized, thanks to malicious versions of premium themes and plugins
More than 20,000 WordPress sites have been trojanized, thanks to malicious versions of premium themes and plugins. The operation, as Bleeping Computer reports, counts tens of unofficial marketplaces, likely managed by the same cybercrime source, specifically set up to provide nulled (pirated) components. Once the victim uploads one of them to the web server, the threat actor can add an administrative account and initiate the attack stages that precede ad-fraud and serving exploit kits to website visitors. The distribution network has at least 30 websites, that are actively promoted. According to the cyber security experts, the network of compromised websites is significant, 20,000 being a conservative estimation since some of tainted plugins and themes have well upwards of 125,000 views. One component ,”Ultimate Support Chat,” has about 700,000 views. As for victims, small and medium-sized businesses (SMB) in various fields account for a fifth.
Prevailion: How the cybercrime hackers compromised the WordPress sites
The cybercrime hackers injected in the WordPress components two malicious PHP files (‘class.theme-module.php’ and ‘class.plugin-modules.php’) with functions for command and control (C2) communication and responsible for activating the malware (‘wp-vcd.php’). Next, the two files delete themselves. The cyber security experts at Prevailion found that in the first stage of attack additional code is downloaded to add a persistent cookie to a visitor’s browser when they landed on the compromised website from Google, Yahoo, Yandex, MSN, Baidu, Bing, and DoubleClick. The cookie is set to expire in 1,000 days and includes the referrer website and the compromised domain visited. To ensure persistence, the attackers added the WP_CD_Code from the initial loading staging to multiple files. This allowed the code to survive and maintain access even when admins deleted a file that included it.
The cyber security experts: The goal are two, Multi-pronged SEO to attract more victims and Ad fraud to earn money
The goal of the operation, which Prevailion named “PHP’s Labyrinth”, is multi-pronged, search engine optimization (SEO) being one aspect. This side of the campaign aims at increasing visibility of the WordPress sites the attacker controls to catch more victims. The second one is Ad fraud. The cybercrime actor makes money from showing ads on compromised websites. The attacker makes money from showing ads on compromised websites. The network exploited for this is Propeller advertising service, which has been used in the past for nefarious purposes, malvertising pushing the Fallout Exploit Kit, in particular. According to the cyber security experts, the ads displayed by the threat actor were benign and gained them half a cent for each click. Malicious use was also observed, though, for prompting users to download adware that was likely pushing malicious software.