Researchers at Wordfence have published a report on WP-VCD, one of the most serious threats to WordPress at the moment, which is responsible for infecting most sites running the popular CMS. Let me remind you that WP-VCD has been known since 2017, but since then the threat has become noticeably more serious.
Interestingly, the attackers behind WP-VCD do not use vulnerabilities to infiltrate other people’s sites and do not install backdoors. Instead, they rely on pirated (nulled) themes and plugins for WordPress sites that people find and download on their own. Attackers manage a whole group of sites through which they distribute malicious topics and plugins, which are usually sold in private stores or on popular sites such as ThemeForest or CodeCanyon. The list of these sites includes:
www.download-freethemes [.] download
www.downloadfreethemes [.] co
www.downloadfreethemes [.] space
www.downloadnulled [.] pw
www.downloadnulled [.] top
www.freenulled [.] top
www.nulledzip [.] download
www.themesfreedownload [.] net
www.themesfreedownload [.] top
www.vestathemes [.] com
All of these resources have excellent SEO. They occupy high positions in the search results, as with the keywords they are “helped” by all the hacked sites currently infected with the WP-VCD malware. As a result, a search by the name of any popular WordPress theme, in combination with the word “download”, leads to the appearance of two or three malicious sites at the top of Google’s search results.
After users install malicious themes and plugins downloaded from these sites, WordPress is hacked, and after a few seconds control passes to the attackers.
So, first, the account 100010010 is added to the site, which acts as a backdoor and provides WP-VCD operators access to the resource. Then WP-VCD is added to all other topics on the site. This is done in case the user only tests pirated topics and can get rid of them soon. And finally, if the malware got to shared hosting, it seeks to spread to the base server, infecting other sites hosted on the same system. Thus, those users who protect their systems and do not use pirated products suffer from WP-VCD, but they were not lucky to be “next door” to a less prudent administrator.
As a result, WP-VCD operators have at their disposal an impressive botnet of hacked sites, which they fully control. According to Wordfence, the grouping is currently focused on two areas. The first is the development of a botnet, which includes the addition of keywords and backlinks to infected sites. The second is the direct monetization of infected resources, which is carried out through advertising.
WP-VCD operators advertise on hacked sites, and these ads often contain additional malicious code that sometimes opens pop-ups or redirects users to other malicious resources. For this, the group receives money from other criminals.
According to Wordfence, some of the WP-VCD operator domains were registered by a man named Sharif Mamdouh. In addition, some of these domains were also associated with attacks on sites running Joomla back in 2013. However, it is not yet clear whether this person is one of the attackers, or whether his identity was simply stolen.