Security team has identified a security threat: a website, wpnull24.com, that provides WordPress themes infected with malware. This site offers “nulled” themes, or paid-for themes that have been modified so they can be downloaded for free. 

The themes provided free of charge at wpnull24.com are particularly dangerous, because installing one of them infects all of a site’s themes, plugins, and core WordPress files with malware. Once a site is infected, it can be used for black SEO, phishing, and sending spam as well. Access to an infected site can also be sold to other cyber-criminals. 

wpnull24.com contains over 6000 themes, and gets over 50,000 visitors per day. The Imunify team first detected the malware in its themes on 1 June 2020, and noticed an increased infection rate over the following month: 

 

 

Let’s examine how the malware works, see what identifies it, and learn how to neutralize it. 

 

How this WordPress malware works

 

Once the infected theme is installed and activated, the theme’s functions.php file executes the initial malicious script config/class.php:

 

 

The config/class.php file (e1a5f2a833d786a9985111c28097e2df5387b8935b373b215fadd54ee9a483da) contains this malicious code: 

 

 

The malicious code in config/class.php then infects the WordPress core file wp-load.php, along with other existing plugins and theme files. It uses the injections, samples, and hashes below, and also drops standalone malware files:

 

 

 

 

This malware also upgrades and disguises itself: 

 

  • The file config/class.php is “version 3” when downloaded, but after activation it upgrades itself to “version 7”.

  • It self-whitelists in popular security plugins such as Wordfence and AllInOneSecurity. 

 

It does that with the following code: 

 

 

Here’s a diagram of the full infection scheme:

 

 

Here are code samples from a few of the malicious files: 

 

Sample 1 (d18217d6f6e69dbd9a6a0f4a9d479327e9f4b52861122a01db0ca55367655833)

 

Sample 2 (ddd7f0d13ed96b838bf08f775e8f9bb9aa938b382efcc43e60847c6f6af9959d)

 

Sample 3 (f85e290e9d9d9a9293a38431621903ffb80f2d855d59ce65eefc818c2c741542)

 

How is this malware identified? 

 

Some malicious samples contain the following code:

“$this->baseUrl = hex2bin( '687474703a2f2f636f6e6e6563742e61706965732e6f72672f' );”where the value decodes to hxxp://connect.apies.org/. This appears to be an admin center for the malware. 

This malware appears to be solely WordPress-based, so a WordPress installation will contain the initial dropper file:


themes/<theme_name>/config/class.php 

 

And it will contain these other files as well: 

uploads/<year>/.class-wp-cache.php

wp-includes/<every folder and sub-folders>/.class-wp-cache.php

wp-admin/<every folder and sub-folders>/.class-wp-cache.php

wp-admin/<every folder and sub-folders>/index.php

wp-includes/<every folder and sub-folders>/index.php

themes/<theme_name>/.<theme_name>.php

plugins/<plugin_name>/.<plugin_name>.php

plugins/<plugin_name>/<sub-folder>/.<sub-folder>.php

themes/<theme_name>/<sub-folder>/.<sub-folder>.php

 

These grep patterns can also indicate infection:


grep -rH "class_exists('WPTemplatesOptions')) {"  <your_sites_dir>

grep -rH "if (file_exists(get_template_directory() . DIRECTORY_SEPARATOR . '.' . basename(get_template_directory()) . '.php')) {" <your_sites_dir>

grep -rH "include_once( dirname( __FILE__ ) . '/config/class.php' );" <your_sites_dir>

grep -rHE “WPTemplatesOptions|WPPluginsOptions” <your_sites_dir>

 

As can these standalone malware sha256sums:


d18217d6f6e69dbd9a6a0f4a9d479327e9f4b52861122a01db0ca55367655833

ddd7f0d13ed96b838bf08f775e8f9bb9aa938b382efcc43e60847c6f6af9959d

F85e290e9d9d9a9293a38431621903ffb80f2d855d59ce65eefc818c2c741542

 

How can this malware be neutralized?

 

The best way to neutralize this and similar malware is to tell others that using “nulled” themes and plugins is a bad idea. People usually don’t rework paid plugins/themes and spread them for free just out of the kindness of their hearts.

If you’re using Imunify360, you should do these things to neutralize the malware in wpnull24.com themes: 

  1. Enable “real-time“ malware scans. Here are the instructions on how to do that.

  2. Run malware scan and perform cleanup. The malicious code in the themes has been identified with these malware signatures:

    SMW-INJ-15541-php.bkdr.incl.wpnull24-1

    SMW-INJ-15539-php.bkdr.incl.wpnull24-1

    SMW-SA-15534-php.bkdr.drpr.wpnull24-3

    SMW-SA-15255-php.bkdr.wshll.wpnull24-3

    SMW-SA-15256-php.bkdr.wshll.wpnull24-2

    SMW-INJ-15540-php.bkdr.drpr.wpnull24-1

    SMW-INJ-15535-php.bkdr.incl.wpnull24-2

  3. Change any compromised WordPress admin and database credentials, and WordPress-related FTP credentials as well. If credentials have been compromised, they’ve been automatically sent to the malware command center.

  4. Set Proactive Defence to KILL mode. Its rules can prevent both the initial installation of this malware, and the spread of malware that’s already been installed. 

You can clean up the malware files manually after it has detected them. You should also change compromised admin, database, and FTP credentials, as described above. 

 

 



Tuesday, July 14, 2020

« Back

Powered by WHMCompleteSolution