The WP-VCD malware is one of the most active campaigns infecting WordPress sites, according to a report by WordFence.
In a blog post, Mikey Veenstra, threat analyst at Wordfence, said the malware had a higher rate of new infections than any other WordPress malware every week since August 2019, and the campaign shows no signs of slowing down.
The malware is spread via "nulled", or pirated, plugins and themes distributed by a network of related sites. Its C2 infrastructure and self-healing infections allow attackers to maintain a persistent foothold on infected sites.
Veenstra said targets of this campaign are WordPress developers and designers seeking free downloads of paid plugins and themes. "Due to the nature of this infection, where authenticated administrators are directly uploading and activating the malware, it’s difficult to prevent site owners from infecting themselves," he added.
If a site administrator installs and activates nulled software infected with WP-VCD, a deployer script executes and immediately compromises the site. From there, the malware propagates laterally through the affected hosting environment, infecting adjacent WordPress site.
He said that sites behind WP-VCD’s distribution are typically ranked very highly when searching for WordPress themes." The campaign’s distribution doesn’t rely on exploiting new software vulnerabilities or cracking login credentials, it simply relies on WordPress site owners seeking free access to paid software," said Veenstra.
"The WP-VCD malware propagates across that site, and potentially more if present in the same hosting environment and injects backlinks into all of them. These backlinks go on to drive even more traffic to the infected nulled themes, and the cycle continues."
Veenstra said that the malware’s monetisation model is self-fulfilling. "Malvertising code is deployed to generate ad revenue from infected sites, and if the influx of new WP-VCD infections slows down, the attacker can deploy black hat SEO code to drive up search engine traffic to their distribution sites and attract new victim."
He urged WordPress site owners to not install nulled plugins and themes." If you’ve hired a developer to build a new WordPress site, ensure they are sourcing all of their content responsibly," he said.
David Kennefick, product architect at edgescan, told SC Media UK that organisations should verify plugins and themes, as well as making sure that all themes are sourced from trusted third parties.
"Themes and plugins also need to be included in third-party risk assessments. Organisations should not make the mistake of assuming that, just because they purchase software/plugins/themes, there will be a development team ready and waiting to support and patch the technology when new vulnerabilities are discovered," he said.
"Pairing verification of plugin sources and vulnerability scanning will help protect against rogue plugins and themes. While these measures may not provide a complete solution to the problem, they will give organisations much more confidence in the technology they are using."
Paul Ducklin, principal research scientist at Sophos, told SC Media UK that blog plugins can typically take control of everything you publish.
"In other words, plugins really matter!" he said. "Learn what to look for in your logs. Know where to go to look for a record of what your web server, your blogging software and your plugins have been up to. Attacks often stand out clearly if you know what to look for, and you do so regularly."