Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

WP-VCD: The Malware You Installed On Your Own Site

This entry was posted in Research, WordPress Security on November 4, 2019 by Mikey Veenstra   9 Replies

One of the most prevalent malware infections facing the WordPress ecosystem in recent weeks is a campaign known as WP-VCD. Despite the relatively long existence of the campaign, the Wordfence threat intelligence team has associated WP-VCD with a higher rate of new infections than any other WordPress malware every week since August 2019, and the campaign shows no signs of slowing down.

In today’s post, we are publishing a comprehensive whitepaper analyzing WP-VCD. This whitepaper contains the full details of our research efforts into this prevalent campaign. It is intended as a resource for threat analysts, security researchers, WordPress developers and administrators, and anyone else interested in tracking or preventing the behavior associated with WP-VCD.

WP-VCD In Brief

The WP-VCD infection itself is spread via “nulled”, or pirated, plugins and themes distributed by a network of related sites, and it’s remarkable in the way it propagates once deployed. Behind the scenes, extensive command and control (C2) infrastructure and self-healing infections allow attackers to maintain a persistent foothold on these infected sites.

<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '2f3ad13e4908141130e292bf8aa67474'))
	{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{
	case 'change_domain';
	if (isset($_REQUEST['newdomain']))

The code snippet above was sourced from an infected functions.php file on a site compromised by WP-VCD. Due to the campaign’s prevalence, this example is likely immediately recognizable to anyone with experience handling WordPress malware infections.

Full details and code analysis of the WP-VCD campaign can be found in the full report.

Infrastructure, Monetization, and Attribution

At various points in its history, specific features have been added and removed from the malware, but most core components of WP-VCD have remained consistent. Monetization comes from two main sources: viral marketing activity intended to manipulate search engine results via black hat SEO, and malvertising code which creates potentially dangerous redirects and pop-up ads for users viewing a compromised site.

In the whitepaper, we provide some insight into the extent of WP-VCD’s infrastructure and monetization scheme. We also reveal data which provides attribution to the threat actor behind the campaign.

Indicators of Compromise (IOCs)

In order to aid the security community in the prevention, detection, and eradication of WP-VCD infections, we have provided an extensive list of IOCs associated with this campaign. We have also shared some YARA-compatible malware detection rules for public use in the identification of infected sites.

Read The Full Report

The full scope of our investigation into WP-VCD far exceeds that of a typical research blog post, so please read the complete whitepaper: WP-VCD: The Malware You Installed On Your Own Site.

Credits: WP-VCD whitepaper by Mikey Veenstra. Editing by Sean Murphy and Ramuel Gall. 

Did you enjoy this post? Share it!

9 Comments on "WP-VCD: The Malware You Installed On Your Own Site"

Avictim November 4, 2019 at 9:27 am

You forgot to mention that this campaign is monitized by Propellerads, as all the advertisements domain names that infects the wp websites belongs to this company.

Mikey Veenstra November 5, 2019 at 2:11 pm

The connection to Propeller Ads is explained in some detail in the full whitepaper.

Walter Mairena November 4, 2019 at 9:53 am

It's amazing how coincidental it is that just this saturday morning I was looking into a website that had been giving this problem for quite a while, which I previously identified that its theme was nulled and the person that "developed" the website just stamped his name and info into the style.css. I had already on previous occations deactivated some unnecesary plugins that were old or no longer mantained, until the problem reappeared this saturday and I stumbled upong this code on functions.php, and after evaluating it looked really bad and was pairing to some "non-functioning" domains that semmed pretty fishy, so I just commented it out. I was just discussing this with a colleague an hour before I got the email notification from you guys. At least now I know this time I was right. Keep up the good work! Greets from Nicaragua!

Glen McNiel November 4, 2019 at 11:57 am

Good work guys. Thanks for all you do!

Mike November 4, 2019 at 3:27 pm

Should we search for this code within functions on all our sites manually, or is WF basic scanning for this?

Mikey Veenstra November 5, 2019 at 2:10 pm

Hi Mike! Wordfence scans will identify these injections, both on Premium and Free sites.

Johnson Opigo November 4, 2019 at 8:11 pm

Thanks so much for this incredible work.

Saurabh Wanarkar November 4, 2019 at 8:20 pm

complete whitepaper link above not wroking

Mikey Veenstra November 5, 2019 at 2:11 pm

Hi Saurabh, we're not seeing any issues on our end. Can you give some further detail on what's happening when you click?

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates