Wordpress Malware - Command and Control and Advertisements
This is a post about malware that can be injected into the Wordpress CMS, the article is written by attorney Domingo J. Rivera. Wordpress is an easy to use and very popular content management system (CMS). Currently, it powers the majority of all Internet sites. As such, it is a target of exploitation, and probably not a difficult one to break. We are recently seeing yet another Wordpress attack. This one is not one of the other many trying to perform denial of service attacks, steal credentials, or distribute malware. This one seemingly was created to profit from someone else's content. The malware gets injected into a website's Wordpress theme, into the functions.php file.... after also stealing user credentials!
If after reading this, you think your site was infected, you were a victim of a violation of the Computer Fraud and Abuse Act. There may be civil or criminal remedies available.
We have recovered samples of this malware in the wild. We have also been able to identify the domain names where the malware transmits the site's credentials. At this time we are not posting those domain names or the Cloudflare servers used for domain resolution (shocking, malware writers using Cloudflare!).... Those are available to researchers or law enforcement. Please contact AVM Technology to obtain the same.
This particular piece of malware begins with PHP code:
The malware then calls the wp_vcd function, and voila! your Wordpress site is making money for some hacker....
Of course, the malware has to set itself in the theme file and call some files in order to operate. Finally, it calls the owner's domain name and transmits an authentication key. As stated above, the domain name and the authentication key are available to any researcher who wants to pay the hacker a friendly visit. Of course, it has several domain names in case the first one gets taken down.
If you see any part of this code in the functions.php of a wordpress theme files, your site has been hacked. Install a new theme and immediately delete the infected theme. Additionally, there is a series of files that are created which must be deleted. Consult with a cyber security professional or use an online scanner for your site. Sucuri has a nice one.
Any researchers who want the complete code, domain names involved, Cloudflare name servers or any other details, may contact Domingo J Rivera or AVM Technology, LLC.