Experts observed a new wave of wp-vcd malware attacks targeting WordPress sites

Experts from the firm Sucuri observed a new wave of wp-vcd malware attacks that is targeting WordPress sites leveraging flaws in outdated plugins and themes

A new malware campaign is threatening WordPress installs, the malicious code tracked as wp-vcd hides in legitimate WordPress files and is used by attackers to add a secret admin user and gain full control over infected websites.

The malware was first spotted in July by the Italian security expert Manuel D’Orso who noticed that the malicious code was loaded via an include call for the wp-vcd.php file and injected malicious code into WordPress core files such as functions.php and class.wp.php.

The wp-vcd malware attacks continued, evolving across the months. Recently researchers from Sucuri firm discovered a new strain of this malware that injected malicious code in the legitimate files of the two the default themes “twentyfifteen” and “twentysixteen”included in the WordPress CMS in 2015 and 2016.

This is an old tactics that leverage themes files (active or not) files to hide malicious code, in the specific case the malware creates a new “100010010” admin user with the intent to establish a backdoor into the target installation.

Hackers triggered vulnerabilities in outdated plugins and themes to upload the wp-cvd malware.

“The injection, on most of the cases we found, was related to outdated software (plugins or themes). Which a simple update or using a WAF would prevent.” reads the blog post published by Sucuri.

“Code is pretty straightforward and doesn’t hide its malicious intentions by encoding or obfuscation of functions…”

Outdated and vulnerable plugins represents a privileged entry point for hackers, last week the researcher Jouko Pynnönen from Finland-based company Klikki Oy discovered several vulnerabilities in the Formidable Forms plugin the exposes websites to attacks.

The Formidable Forms plugin allows users to easily create contact pages, polls and surveys, and many other kinds of forms, it has more than 200,000 active installs.

Pynnönen discovered that the dangerous flaws affect both the free and as a paid version.

The most severe issue discovered by the expert is a blind SQL injection that can be exploited by attackers to enumerate a website’s databases and access their content, including user credentials and data submitted to a website via Formidable forms.

WordPress

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – WordPress,Wp-Vcd Malware)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.