Wordfence experts talked about a massive WP-VCD threat aimed at hacking WordPress

Researchers at Wordfence published a report on WP-VCD, one of the largest threats to WordPress now which is responsible for infecting many sites running the popular CMS.

Let me remind you that WP-VCD has been famous since 2017, but since then the threat has become noticeably more serious.

“Despite the relatively long existence of the campaign, the Wordfence threat intelligence team has associated WP-VCD with a higher rate of new infections than any other WordPress malware every week since August 2019, and the campaign shows no signs of slowing down”, — report Wordfence specialists.

Interestingly, the attackers behind WP-VCD do not use vulnerabilities to infiltrate other people’s sites and do not install backdoors.

Instead, they rely on pirated (nulled) themes and plugins for WordPress sites that people find and download on their own. Attackers manage a whole group of sites through which they distribute malicious topics and plugins, which are usually sold in private stores or on popular sites such as ThemeForest or CodeCanyon. The list of these sites[.]download


All of these resources have excellent SEO. They occupy high positions in the search results, as with the keywords they are “helped” by all the hacked sites currently infected with WP-VCD malware. As a result, a search by the name of any popular WordPress theme, combined with the word “download”, will result in two or three malicious sites appearing at the top of Google’s search results.

“After users install malicious themes and plugins downloaded from these sites, WordPress is hacked, and in a few seconds control passes to the attackers”, – write Wordfence researchers.

So, first, the account 100010010 is added to the site, which acts as a backdoor and provides WP-VCD operators access to the resource. Then WP-VCD is added to all other topics on the site. This is done in case the user only tests pirated topics and can get rid of them soon. And finally, if the malware got to shared hosting, it seeks to spread to the base server, infecting other sites hosted on the same system.

Thus, those users who protect their systems and do not use pirated products suffer from WP-VCD, but they were not lucky to be “next door” to a less prudent administrator.

As a result, WP-VCD operators have at their disposal an impressive botnet of hacked sites, which they fully control. According to Wordfence, the grouping is currently focused on two areas. The first is the development of a botnet, which includes the addition of keywords and backlinks to infected sites. The second is the direct monetization of infected resources, which is carried out through advertising.

Read also: Hackers extorting money from Uber and LinkedIn plead guilty

WP-VCD operators advertise on hacked sites, and these ads often contain additional malicious code that sometimes opens pop-ups or redirects users to other malicious resources. For this, the group receives money from other criminals.

According to Wordfence, some of the WP-VCD operator domains were registered by a man named Sharif Mamdouh. In addition, some of these domains were also associated with attacks on sites running Joomla back in 2013. However, it is not yet clear whether this person is one of the attackers, or whether his identity was simply stolen.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *


Back to top button