A website offering free nulled themes for download

A WordPress malware campaign that recently picked up steam last month is now using nulled (pirated) premium themes to infect new victims.

According to Sucuri security researcher Denis Sinegubko, the wp-vcd malware is now preinstalled inside pirated WordPress premium themes offered for download for free on some sites known for providing nulled scripts, themes, and plugins for various CMS platforms.

This particular malware — wp-vcd — works by adding a secret admin user to the site's backend, with the username "100010010." Attackers use this backdoor account to open connections to infected websites so attackers can carry out scripted attacks at later dates.

wp-vcd used to inject spam on infected sites

Sinegubko says that since Sucuri saw a resurgence of the wp-vcd malware in late November, attackers have used wp-vcd backdoor accounts to insert spam on infected sites.

Some of these spam messages also led users back to the websites offering the nulled themes, helping wp-vcd authors propagate their malware and expand their network of hacked sites.

wp-vcd easy to spot inside nulled themes

The Sucuri expert points out that it's trivial to recognize nulled themes that come with the wp-vcd malware.

"All original [theme] files have one date, but two files have a different, more recent date," he says. The two files are functions.php and class.theme-modules.php, two files that wp-vcd has historically infected since mid-July this year when an Italian researcher first spotted the malware.

"If you check those files, you’ll notice that functions.php has this line of code at the top," says Sinegubko, pointing to:

< ? php if (file_exists(dirname(__FILE__) . '/class.theme-modules.php')) include_once(dirname(__FILE__) . '/class.theme-modules.php'); ? >

Similarly, the class.theme-modules.php file mentioned above holds a large block of Base64-encoded text, that's quite easy to spot right at the top of the file's code.

While some WordPress themes can be expensive for some users, site operators should always keep in mind that if they're not paying for the product, they are the product.