A weekly report of noteworthy threat data by the Defiant threat intelligence team.
Malware samples identified on the greatest count of newly infected sites.
|MD5||Signature||Description||Example File Names|
|CEC9A529B43D84F0A0E3624372CD9C51||Backdoor:PHP/WP-VCD.5409||Infected core file, triggers execution of another malicious script.||post.php|
|7D9A88B33CD777B0949A3033512C1D08||Backdoor:PHP/wp-vcd.5476||Backdoor associated with SEO spam injections.||wp-vcd.php|
|3F60851C9F7E37C0D8817101D2212C68||Suspicious:PHP/eval_b64.1||Obfuscated PHP backdoor.||-h7h0pfixp7.phpP, 01nbgrzyxu.php, 05hyfj1bf8.php, and others.|
|701CB9E0ACF43569D3C539B073DAAF2F||Spam:PHP/oclasinsert.5483||SEO spam code injector.||wp-tmp.php|
|380FA777B8C37FB60811E5972391261B||Suspicious:PHP/evalB64.4068||WebShellOrb PHP webshell.||wp-update.php, ob.php, aw.php, and others.|
|1||8||22.214.171.124||14061 (DigitalOcean, LLC)||DE|
|2||4||126.96.36.199||14061 (DigitalOcean, LLC)||US|
|3||—||188.8.131.52||16276 (OVH SAS)||FR|
|4||5||184.108.40.206||16276 (OVH SAS)||CA|
|5||—||220.127.116.11||42926 (Radore Veri Merkezi Hizmetleri A.S.)||TR|
|6||10||18.104.22.168||16276 (OVH SAS)||FR|
|7||—||22.214.171.124||7684 (SAKURA Internet Inc.)||JP|
|8||—||126.96.36.199||14061 (DigitalOcean, LLC)||SG|
|9||—||188.8.131.52||16276 (OVH SAS)||CA|
|10||9||184.108.40.206||14061 (DigitalOcean, LLC)||US|
|Domain Name||Date Added||Current Status||Notes|
|6tws.us||09/26/2019||Up||Several subdomains referenced in malware samples.|
|belaterbewasthere.com||09/27/2019||Up||Associated with malvertising campaign.|
|createrelativechanging.com||09/28/2019||Up||Associated with malvertising campaign.|
This edition of Wordfence Weekly follows a brief hiatus from our team travelling to WordCamp US last week. As you may have guessed following the release of the research behind WP-VCD, the campaign still makes up four of the five slots in our new infection chart.
In this week's Wordfence Weekly, we've got three vulnerabilities disclosed by the Wordfence team associated with WordPress plugins and themes. A new face appears in the top malware infections list, a script built seemingly only to delete itself when told to. In the attacking IP charts, we see a new ASN joining the rankings: Microsoft Corporation appears three times in the top ten.
This week saw the release of WordPress 5.2.4, a security release which fixed a number of core vulnerabilities. None of the vulnerabilities are severe enough to suggest widespread abuse, but it's always a good idea to update. A big surprise comes from our attacking IP data, as not a single IP address from last week's rankings was present this week. The same cannot be said of the malware data, as WP-VCD variants continue to maintain a firm hold of the chart.
This week, three unique variants of the same WP-VCD spam injector made it to the top five new infections, while the other two positions were held by ancillary scripts from the same campaign. A GoDaddy server is the fifth most malicious IP address this week, suggesting infected sites present on the host. The remainder of the list was divided between cloud hosts OVH SAS and DigitalOcean, as seen commonly in recent weeks.
New WP-VCD variants continue to appear on the malware infection rankings, continuing a streak that shows no sign of slowing. The top two IP addresses this week are US-based machines associated with the Chinese tech conglomerate Alibaba, while the rest are divided evenly between cloud hosts DigitalOcean and OVH SAS. Lastly, a few vulnerabilities released this week allow attackers to modify the options of the affected plugins, leading to XSS injection.
In this Wordfence Weekly we share five new domains which have been added to our blacklist for their association with spamming and malvertising. A slightly modified variant of WP-VCD's wp-tmp.php script reaches the top of the malware chart, while the rest has remained stable from previous weeks. Lastly, several new IP addresses have reached the top ten attacking hosts during a week where the Wordfence firewall detected a notable surge in activity.
This edition of Wordfence Weekly includes a number of vulnerabilities recently patched in WordPress core version 5.2.3. All WordPress users are recommended to ensure this security patch has been applied as soon as possible. WP-VCD and related malware still hold the top most common new infections, while most of the top attacking IP addresses have rotated out.
This week we see a continued trend of WP-VCD infections on the top malware chart. Two newly tracked domains have been added, which are hosting malicious scripts referenced by other malware samples. Last, the popular Formidable Forms plugin was recently patched to improve its output sanitization, suggesting exploitability in its earlier versions.
This week's Wordfence Weekly sees a continued trend of new WP-VCD infections taking over the Most Common New Infections chart. In Attacking IPs, the top two addresses from last week retain their positions while the rest of the list contains new IPs from a variety of hosts. Additionally, we're tracking some new malvertising domains as well as a MySQL host used by attackers taking over unfinished WordPress installs.
In this Wordfence Weekly, we've got a Directory Traversal vulnerability in the highly popular WP Fastest Cache plugin. In the malware rankings, we see a number of samples associated with the WP_VCD SEO spam campaign as well as more PHP backdoor scripts. Also, this week's attacking IP rankings have returned to a typical spread of activity, with attacks from OVH SAS and DigitalOcean servers controlling the board.
The prevalence of attacks from US-based host QuadraNet continues in this edition of Wordfence Weekly. Additionally, a few new noteworthy vulnerabilities have popped up, which are each seeing their own attacks. In particular, we've begun tracking some new domains associated with malicious redirects.
This week, the list of the top IPs attacking WordPress sees a sudden appearance of seven addresses from the US-based hosting provider QuadraNet Enterprises LLC. In the tracked domains, we've added some illegitimate download sites referenced in malicious samples discovered by our site cleaning team.
July's final Wordfence Weekly sees some news items regarding Marcus Hutchins' sentencing and a data breach from Capital One. Under the week's new tracked domains, we list xn--google-analytcs-xpb[.]com, a punycode domain masquerading as a Google Analytics domain when decoded. Malware trends and common attacking IPs remain stable, though OVH SAS's longtime domination of the attacking IP rankings continues to wane.
This week's Wordfence Weekly shows an increase in US-based attack traffic, including an IP from popular web host GoDaddy. We're also seeing a rise in infected sites where the PHP webshell "Ironshell" is present. In the news, Equifax is slated to pay a settlement following its 2017 data breach and the nation of Kazakhstan is attempting to man-in-the-middle the internet traffic of its citizens.
This week saw an uptick in malicious network activity from Chinese hosts, while IPs associated with OVH SAS have begun to pull back. We've begun tracking new domains associated with malvertising campaigns, while familiar backdoor scripts remain the top new infections of the week. In the news, an Instagram access control flaw could have allowed hackers to take over any account, and Apple put its foot down by removing hidden, vulnerable webservers from Zoom clients.