Coronavirus Wordpress Plugin Infecting Sites with WP VCD Malware

BEWARE of Coronavirus WordPress Plugin Infecting Sites with WP-VCD Malware

Just when you thought hackers could not get any lower, they go past the bottom. Hackers have found a way to exploit legitimate WordPress plugins and themes by injecting itself in plugins which show stats for Coronavirus also known as the COVID-19 virus.

These exploits are being used in several types of attacks including ransomware, malware, and malicious domains.

Be very careful of any Coronavirus WordPress Plugin and do not download from sites other than WordPress.org

DO NOT DOWNLOAD ANY SOFTWARE FROM

www[dot]downloadfreethemes[dot]co
themesubmit[dot]com
www[dot]downloadfreethemes[dot]space, freesoft[dot]royalbeats[dot]in
freedownloadthemes[dot]co
raybans[dot]com[dot]co
coursefree[dot]co

For full details Analysis on the Injection points, files, and how the hackers are breaking into sites. Please see the details on WebARX’s website.

Analysis

Injection Point

During the analysis of multiple samples, we noticed that all themes contained a file called class.theme-modules.php and all plugins contained a file called class.plugin-modules.php. Both files contained the exact same code.

In plugins, the hackers used the class.plugin-modules.php file which would be loaded in the main file of the plugin on the first line by injecting the following (reformatted):

See more here: https://www.webarxsecurity.com/wp-vcd-malware-analysis/