Wordfence experts talked about a massive WP-VCD threat aimed at hacking WordPress

Researchers at Wordfence published a report on WP-VCD, one of the largest threats to WordPress now which is responsible for infecting many sites running the popular CMS.

Let me remind you that WP-VCD has been famous since 2017, but since then the threat has become noticeably more serious.

“Despite the relatively long existence of the campaign, the Wordfence threat intelligence team has associated WP-VCD with a higher rate of new infections than any other WordPress malware every week since August 2019, and the campaign shows no signs of slowing down”, — report Wordfence specialists.

Interestingly, the attackers behind WP-VCD do not use vulnerabilities to infiltrate other people’s sites and do not install backdoors.

Instead, they rely on pirated (nulled) themes and plugins for WordPress sites that people find and download on their own. Attackers manage a whole group of sites through which they distribute malicious topics and plugins, which are usually sold in private stores or on popular sites such as ThemeForest or CodeCanyon. The list of these sites includes:www.download-freethemes[.]download

www.downloadfreethemes[.]co
www.downloadfreethemes[.]space
www.downloadnulled[.]pw
www.downloadnulled[.]top
www.freenulled[.]top
www.nulledzip[.]download
www.themesfreedownload[.]net
www.themesfreedownload[.]top
www.vestathemes[.]com

All of these resources have excellent SEO. They occupy high positions in the search results, as with the keywords they are “helped” by all the hacked sites currently infected with WP-VCD malware. As a result, a search by the name of any popular WordPress theme, combined with the word “download”, will result in two or three malicious sites appearing at the top of Google’s search results.

“After users install malicious themes and plugins downloaded from these sites, WordPress is hacked, and in a few seconds control passes to the attackers”, – write Wordfence researchers.

So, first, the account 100010010 is added to the site, which acts as a backdoor and provides WP-VCD operators access to the resource. Then WP-VCD is added to all other topics on the site. This is done in case the user only tests pirated topics and can get rid of them soon. And finally, if the malware got to shared hosting, it seeks to spread to the base server, infecting other sites hosted on the same system.

Thus, those users who protect their systems and do not use pirated products suffer from WP-VCD, but they were not lucky to be “next door” to a less prudent administrator.

As a result, WP-VCD operators have at their disposal an impressive botnet of hacked sites, which they fully control. According to Wordfence, the grouping is currently focused on two areas. The first is the development of a botnet, which includes the addition of keywords and backlinks to infected sites. The second is the direct monetization of infected resources, which is carried out through advertising.

Read also: Hackers extorting money from Uber and LinkedIn plead guilty

WP-VCD operators advertise on hacked sites, and these ads often contain additional malicious code that sometimes opens pop-ups or redirects users to other malicious resources. For this, the group receives money from other criminals.

According to Wordfence, some of the WP-VCD operator domains were registered by a man named Sharif Mamdouh. In addition, some of these domains were also associated with attacks on sites running Joomla back in 2013. However, it is not yet clear whether this person is one of the attackers, or whether his identity was simply stolen.
Exit mobile version