Infected WordPress Themes Still on WordPress.org
Part 1
FAKE SOCIAL.PNG CONTINUES TO RUN RAMPANT ON WORDPRESS THREADS
WordPress is not surprising after coming across so many vulnerabilities and exploits.
It is a popular CMS and a favorite of hackers.
We searched wordpress.org Apache Subversion to find commonalities in infected themes.
This is a serious concern because infected files are easily installed directly from the WordPress.org website.
We will publish a series of articles INFECTED WordPress Themes STILL ON WORPRESS.ORG in the coming weeks. Here we will share our findings with you to help stop the spread of this infection through awareness.
INFECTION FILES WITH IMAGES
We first discovered deceiving files in the form of highly opaque code embedded in images. We found false-image files in certain PHP scripts that were a serious threat.
A user would expect that their web antivirus scanner would detect the code, but many malware antivirus scans don’t perform a file extension scan to maximize their scanning speed.
Here is a list we found of infected WordPress themes:
- hxxps://themes.svn.wordpress.org/delish/1.2/social.png
- hxxps://themes.svn.wordpress.org/delish/1.3/social.png
- hxxps://themes.svn.wordpress.org/delish/1.3.1/social.png
- hxxps://themes.svn.wordpress.org/delish/1.3.2/social.png
- hxxps://themes.svn.wordpress.org/delish/1.3.3/social.png
- hxxps://themes.svn.wordpress.org/neworld/1.0.0.0.0.65565544254/images/social.png
- hxxps://themes.svn.wordpress.org/elgrande-shared-on-wplocker-com/1.1.0/images/social.png
We discovered a highly obscured PHP code that was 30kb in size after analyzing the content file “social.png” contained within these themes.
CONTINUED vulnerability
Further investigation revealed that the PHP code contained an RSA public secret key. This malicious file, also known as social.png, has been infecting users for more than 3 years. However, many infected themes remain in the wordpress.org repository.
This malicious code infected many websites, causing:
- Blacklisting Server IP
- The site to be broken if files were deleted
- Display a blank page on the front page
This malware file was added to the encrypted domain list.
Nevertheless, after decrypting the above, we find the following:
You guessed it: the listed host sites are used by the attackers to distribute malware and scum ads. We continued to investigate and found in Pastebin that there was an older version of the malware.
We discovered that the malware contained a list of encoded email addresses, which were sending crucial information about the infected system. We decoded the list.
We discovered more variants of this malware using PHP obfuscator
You can also find a partially obscured version here:
CONCLUSION
This type of attack is not common because it is complex, but it is highly effective as it has targeted CDNs for WordPress themes. Its multilayered approach, which uses encryption, multiple domains, and other forms, is what makes it so effective. It is becoming more difficult to identify the true purpose of these sophisticated black hat techniques, which conceal their true purpose.
This level of sophistication is not only for individuals but also for organizations. It requires a multi-faceted approach.
- Use a more complex pre-moderation for plugins and themes on popular portals like wordpress.org.
- Before you install any theme or plugin, make sure that the AV scanner is running. This will allow you to detect any malicious code.
- Before you add any new code, back up your website.
The best way to prevent this kind of infection is to carefully choose third-party codes. It is important to have a solid understanding of cyber security to protect users and websites. It would be ideal to have security analysts available to inspect and examine all code. Contact us if you’re looking for a security analyst to help with your code inspections and investigations.