Security team has identified a security threat: a website,, that provides WordPress themes infected with malware. This site offers “nulled” themes, or paid-for themes that have been modified so they can be downloaded for free. 

The themes provided free of charge at are particularly dangerous, because installing one of them infects all of a site’s themes, plugins, and core WordPress files with malware. Once a site is infected, it can be used for black SEO, phishing, and sending spam as well. Access to an infected site can also be sold to other cyber-criminals. contains over 6000 themes, and gets over 50,000 visitors per day. The Imunify team first detected the malware in its themes on 1 June 2020, and noticed an increased infection rate over the following month: 



Let’s examine how the malware works, see what identifies it, and learn how to neutralize it. 


How this WordPress malware works


Once the infected theme is installed and activated, the theme’s functions.php file executes the initial malicious script config/class.php:



The config/class.php file (e1a5f2a833d786a9985111c28097e2df5387b8935b373b215fadd54ee9a483da) contains this malicious code: 



The malicious code in config/class.php then infects the WordPress core file wp-load.php, along with other existing plugins and theme files. It uses the injections, samples, and hashes below, and also drops standalone malware files:





This malware also upgrades and disguises itself: 


  • The file config/class.php is “version 3” when downloaded, but after activation it upgrades itself to “version 7”.

  • It self-whitelists in popular security plugins such as Wordfence and AllInOneSecurity. 


It does that with the following code: 



Here’s a diagram of the full infection scheme:



Here are code samples from a few of the malicious files: 


Sample 1 (d18217d6f6e69dbd9a6a0f4a9d479327e9f4b52861122a01db0ca55367655833)


Sample 2 (ddd7f0d13ed96b838bf08f775e8f9bb9aa938b382efcc43e60847c6f6af9959d)


Sample 3 (f85e290e9d9d9a9293a38431621903ffb80f2d855d59ce65eefc818c2c741542)


How is this malware identified? 


Some malicious samples contain the following code:

“$this->baseUrl = hex2bin( '687474703a2f2f636f6e6e6563742e61706965732e6f72672f' );”where the value decodes to hxxp:// This appears to be an admin center for the malware. 

This malware appears to be solely WordPress-based, so a WordPress installation will contain the initial dropper file:



And it will contain these other files as well: 


wp-includes/<every folder and sub-folders>/.class-wp-cache.php

wp-admin/<every folder and sub-folders>/.class-wp-cache.php

wp-admin/<every folder and sub-folders>/index.php

wp-includes/<every folder and sub-folders>/index.php






These grep patterns can also indicate infection:

grep -rH "class_exists('WPTemplatesOptions')) {"  <your_sites_dir>

grep -rH "if (file_exists(get_template_directory() . DIRECTORY_SEPARATOR . '.' . basename(get_template_directory()) . '.php')) {" <your_sites_dir>

grep -rH "include_once( dirname( __FILE__ ) . '/config/class.php' );" <your_sites_dir>

grep -rHE “WPTemplatesOptions|WPPluginsOptions” <your_sites_dir>


As can these standalone malware sha256sums:





How can this malware be neutralized?


The best way to neutralize this and similar malware is to tell others that using “nulled” themes and plugins is a bad idea. People usually don’t rework paid plugins/themes and spread them for free just out of the kindness of their hearts.

If you’re using Imunify360, you should do these things to neutralize the malware in themes: 

  1. Enable “real-time“ malware scans. Here are the instructions on how to do that.

  2. Run malware scan and perform cleanup. The malicious code in the themes has been identified with these malware signatures:








  3. Change any compromised WordPress admin and database credentials, and WordPress-related FTP credentials as well. If credentials have been compromised, they’ve been automatically sent to the malware command center.

  4. Set Proactive Defence to KILL mode. Its rules can prevent both the initial installation of this malware, and the spread of malware that’s already been installed. 

You can clean up the malware files manually after it has detected them. You should also change compromised admin, database, and FTP credentials, as described above. 



Tuesday, July 14, 2020

« Back

Powered by WHMCompleteSolution