A new malware campaign is threatening WordPress installs, the malicious code tracked as wp-vcd hides in legitimate WordPress files and is used by attackers to add a secret admin user and gain full control over infected websites.
The malware was first spotted in July by the Italian security expert Manuel D’Orso who noticed that the malicious code was loaded via an include call for the wp-vcd.php file and injected malicious code into WordPress core files such as functions.php and class.wp.php.
The wp-vcd malware attacks continued, evolving across the months. Recently researchers from Sucuri firm discovered a new strain of this malware that injected malicious code in the legitimate files of the two the default themes “twentyfifteen” and “twentysixteen”included in the WordPress CMS in 2015 and 2016.
This is an old tactics that leverage themes files (active or not) files to hide malicious code, in the specific case the malware creates a new “100010010” admin user with the intent to establish a backdoor into the target installation.
Hackers triggered vulnerabilities in outdated plugins and themes to upload the wp-cvd malware.
“The injection, on most of the cases we found, was related to outdated software (plugins or themes). Which a simple update or using a WAF would prevent.” reads the blog post published by Sucuri.
“Code is pretty straightforward and doesn’t hide its malicious intentions by encoding or obfuscation of functions…”
Outdated and vulnerable plugins represents a privileged entry point for hackers, last week the researcher Jouko Pynnönen from Finland-based company Klikki Oy discovered several vulnerabilities in the Formidable Forms plugin the exposes websites to attacks.
The Formidable Forms plugin allows users to easily create contact pages, polls and surveys, and many other kinds of forms, it has more than 200,000 active installs.
Pynnönen discovered that the dangerous flaws affect both the free and as a paid version.
The most severe issue discovered by the expert is a blind SQL injection that can be exploited by attackers to enumerate a website’s databases and access their content, including user credentials and data submitted to a website via Formidable forms.
(Security Affairs – WordPress,Wp-Vcd Malware)