Threat actors behind the WP-VCD family of WordPress infections have started to distribute modified versions of Coronavirus-themed plugins. These plugins create backdoors on infected sites and are designed to display popups, redirect visitors, or inject malicious advertisements in attempts to generate revenue for the attackers. Once installed, the malicious plugin will attempt to inject code into installed themes or other various PHP files, and attempt to infect other sites if on a shared host. Because of the way the malicious plugin injects code, it is able to load every time a page is loaded on the infected site. This allows it to regularly check in with a command and control server for tasks it should execute. The pirated WordPress plugins that were found to include the malicious code were named: “COVID-19 Coronavirus – Live Map WordPress Plugin,” “Coronavirus Spread Prediction Graphs,” and “Covid-19.”
WordPress is an extremely popular site-building platform with a wide variety of plugins created by third parties. Because plugins are created with the PHP scripting language, anyone can easily download and modify any available plugin for malicious intent. WordPress administrators should only install plugins from trusted sources such as the official WordPress website or popular marketplace sites where plugins and themes can be reported. Installing pirated versions of commercial plugins or any other software always carries a high risk of infection. The malicious versions of the plugins contain a file named “class.plugin-modules.php” with Base64-encoded data that will be saved to the /wp-includes/wp-vcd.php file when the plugin is installed. The malicious plugins also modify the file /wp-includes/post.php to include the wp-vcd.php file. WordPress site owners can search for these modifications to detect infections.