- WP-VCD was first reported in the wild as early as February 2017.
- The malware usually targets WordPress developers and designers seeking free downloads of paid plugins and themes.
WordPress ecosystem has been facing one of the significant malware infections in recent months and this is primarily carried out by malware called WP-VCD.
How does it spread?
First reported in the wild as early as February 2017, WP-VCD malware attacks have increased in numbers over the years. The malware usually targets WordPress developers and designers seeking free downloads of paid plugins and themes.
Obfuscation feature
To add more woes to it, the site behind WP-VCD’s distribution is typically ranked very high when searching for WordPress themes. It does not rely on complicated code obfuscation to evade detection instead it hides in plain sight with legitimate-looking files and code structure.
Additionally, a combination of resilient design and extensive C2 infrastructure allows the attackers to establish a persistence presence in their victim’s sites, even when an infection is partially removed.
What happens after infection?
When a website is infected with WP-VCD malware, the C2 may respond with code intended to insert malicious backlinks into the site’s content.
When this code is present, every time a user views a post on the compromised site, an HTTP GET request is sent to the new C2 address. This request includes data about the victim site and the post being loaded such as the site’s address and the post’s title and type.
Conclusion
WP-VCD is a prevalent malware infection in the WordPress ecosystem. The nature of its distribution makes it difficult to prevent new sites from becoming compromised at scale. It will even make an attempt to reinfect the files with backdoors if the compromised site is not cleaned properly.
For individual WordPress site owners, preventing a WP-VCD infection is simple using the following way:
- Don’t install nulled plugins and themes;
- If you have hired a developer to build a WordPress site, ensure they are sourcing all their content responsibly.
Publisher
/https://cystory-images.s3.amazonaws.com/shutterstock_788198215.jpg)
/https://cystory-images.s3.amazonaws.com/shutterstock_1260320983.jpg)
