Malware Distributed via Pirated WordPress Coronavirus Plugins

Malware Distributed via Pirated WordPress Coronavirus Plugins


an abstract padlock illustration

Cyber criminals actors behind the WordPress WP-VCD malware have begun distributing modified versions of Pirated WordPress Coronavirus Plugins which inject a backdoor into a website. This allows the attackers access to the website and all of it’s data whenever they want.

The WP-VCD strain of WordPress infections are usually distributed as nulled, or pirated, WordPress plugins which people try and download for free. these plugins contain malicious code that injects a backdoor into the websites theme that are installed on the website / blog.

If a WordPress site is infected by WP-VCD, the malware will attempt to compromise other sites on the same shared host and will periodically re-connect to its command & control server to receive new executing instructions.

These malicious plugins ‘ ultimate aim is to use the compromised WordPress platform to advertise popups or perform redirects that generate revenue for attackers.

Example advertisement shown by WP-VCD
Example advertisement shown by WP-VCD Source: WordFence

Pirated WordPress Coronavirus plugins spread WP-VCD

MalwareHunterTeam recently shared several examples of WordPress plugins that were being flagged on VirusTotal as ”Trojan.WordPress.Backdoor.A’.

These and other WordPress plugins found were zip files that included what appeared to be legitimate commercial plugins called “COVID-19 Coronavirus-Live Map WordPress Plugin,” Coronavirus Spread Prediction Graphs, and”Covid-19.”

Readme.txt file for a pirated plugin
Readme.txt file for a pirated plugin

After these were analyzed, it was found that all of these plugins contained a ‘class.plugin-modules.php’ file that contained malicious code and various base64 encoded strings that are commonly associated with WP-VCD plugins.

class.plugin-modules.php file
class.plugin-modules.php file Source Bleeping Computer

It will take the base64 encoded PHP code in the above-mentioned WP CD CODE variable after the plugin is enabled, and save it to the file /wp-includes / wp-vcd.php.

It then prepends code to the /wp-includes / post.php file, so that it loads wp-vcd.php automatically any time a page is loaded on the web.

Code to create wp-vcd.php file
Code to create wp-vcd.php file Source : Bleepingcomputer

The plugin will also scan for all the installed topics and add another base64 encoded PHP code to the functions.php file of each theme.

Infecting theme's functions.php file
Infecting theme’s functions.php file Source: Bleepingcomputer

How To Protect your WordPress sites from WP-VCD?

Considering that the WP-VCD malware is distributed by pirated WordPress plugins, the safest way to prevent contamination of your site is not to download any plugins from unauthorized sites.

Since plugins can be easily updated by anyone with a small amount of knowledge about PHP, downloading and installing pirated plugins is often a risky venture.

We are seeing an even greater increase in malicious campaigns in this setting, taking advantage of the Coronavirus pandemic’s fear and fears to spread malware and phishing attacks.

It is highly recommended that you only install WordPress plugins from approved sites and do not install any pirated plugins as there is a good risk of compromising your account.

Posted on