A threat actor that has infected more than 20,000 WordPress sites by running the same trick for at least three years: distributing trojanized versions of premium WordPress themes and plugins.

The operation counts tens of unofficial marketplaces, likely managed by the same actor, specifically set up to provide nulled (pirated) WordPress components.

Once the victim uploads a compromised component to the web server, the threat actor can add an administrative account and initiate the attack stages that precede ad-fraud and serving exploit kits to website visitors.

The distribution network has at least 30 websites, listed at the end of the article, that are actively promoted. The network of compromised websites is significant, 20,000 being a conservative estimation since some of tainted plugins and themes have well upwards of 125,000 views. One component ,"Ultimate Support Chat," has about 700,000 views.

As for victims, small and medium-sized businesses in various fields account for a fifth. Some of the more prominent are:

  • a decentralized crypto-mining website
  • a U.S. based stock trading firm
  • a small U.S. based bank
  • a government run petro/chemical organization
  • a U.S. based insurance company
  • a large U.S. based manufacturer
  • a U.S. payment card solution organization
  • a U.S. based IT services organization

Behind the takeover is the WP-VCD malware that has been documented in security reports since February 2017 and reported by users on various support forums.

The attackers injected in the WordPress components two malicious PHP files ('class.theme-module.php' and 'class.plugin-modules.php') with functions for command and control (C2) communication and responsible for activating the malware ('wp-vcd.php'). Next, the two files delete themselves.

Researchers at security intelligence company Prevailion found that in the first stage of attack additional code is downloaded to add a persistent cookie to a visitor's browser when they landed on the compromised website from Google, Yahoo, Yandex, MSN, Baidu, Bing, and DoubleClick.

The cookie is set to expire in 1,000 days and includes the referrer website and the compromised domain visited.

"Once the cookie was attached to the end-user, their IP address is added to a list that lives in the file called “wp-feed.php”," Prevailion says in a report today.

To ensure persistence, the attackers added the WP_CD_Code from the initial loading staging to multiple files. This allowed the code to survive and maintain access even when admins deleted a file that included it.

The attackers use 13 domains for command and control, although some of them are just redirects:

  • vosmas[.]icu                        
  • tdreg[.]icu
  • tdreg[.]top
  • medsource[.]top
  • tretas[.]top
  • piastas[.]gdn
  • pervas[.]top
  • vtoras[.]top
  • dolodos[.]top
  • piasuna[.]gdn
  • semasa[.]icu
  • vosmas[.]icu
  • devata[.]icu

The objective of the operation, which Prevailion named 'PHP's Labyrinth,' is multi-pronged, search engine optimization (SEO) being one aspect. This side of the campaign aims at increasing visibility of the sites the attacker controls to ensnare more victims.

Ad fraud is another facet of the campaign and the attackers rely on a modified version of a publicly available script (https://chevereto.com/community/threads/how-to-add-anti-adblock-code-php.8457/) that disables ad-blocking software in the browser. This tactic is in use since at least September 2019.

The attacker makes money from showing ads on compromised websites. the network used for this is Propeller advertising service, which has been used in the past for nefarious purposes, malvertising pushing the Fallout Exploit Kit, in particular.

According to Prevailion, the ads displayed by the threat actor were benign and gained them half a cent for each click. Malicious use was also observed, though, for prompting users to download adware that was likely pushing malicious software.

List of websites distributing compromised WordPress themes and plugins:

  • ull5[.]top
  • Freedownload[.]network
  • Downloadfreethemes[.]io
  • Themesfreedownload[.]net
  • Downloadfreethemes[.]co
  • Downloadfreethemes[.]pw
  • Wpfreedownload[.]press
  • Freenulled[.]top
  • Nulledzip[.]download
  • Download-freethemes[.]download
  • Wpmania[.]download
  • Themesdad[.]com
  • Downloadfreethemes[.]download
  • Downloadfreethemes[.]space
  • Download-freethemes[.]download
  • Themesfreedownload[.]top
  • Wpmania[.]download
  • Premiumfreethemes[.]top
  • Downloadfreethemes[.]space
  • Downloadfreethemes[.]cc
  • Freethemes[.]space
  • Premiumfreethemes[.]top
  • Downloadfreenulled[.]download
  • Downloadfreethemes[.]download
  • Freethemes[.]space
  • Dlword[.]press
  • Downloadnulled[.]pw
  • 24x7themes[.]top
  • null24[.]icu

Related Articles:

WordPress Admins Infect Their Sites With WP-VCD via Pirated Plugins

WordPress Malware Distributed via Pirated Coronavirus Plugins

Wp-Vcd WordPress Malware Spreads via Nulled WordPress Themes

Malware Disguised as Google Updates Pushed via Hacked News Sites

WordPress Plugin Bug Allows Malicious Code Injection on 100K Sites