New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

WP-VCD Botnet Now Injecting Anti-Adblocker Scripts

WP-VCD is a WordPress botnet that has been around since early 2017. It is able to create backdoor accounts, spread to other installed themes, redirect visitors, inject ads, and add command and control capabilities to a victim’s site. Ad revenue is where the group makes its money though, and the popularity of ad blocking browser plugins may be causing the botnet operators some headaches. Some versions of the infection are now including anti-adblocking scripts to force ads to appear even when a visitor has attempted to block the ads. Anti-adblocking scripts have gained popularity across many subscriptions-based sites as a way to nag visitors to either allow ads or to subscribe for ad-free viewing. Because of this, it should be no surprise that malicious advertising (malvertising) networks are also fighting ad-blocking with their own scripts.

Analyst Notes

An infection by WP-VCD typically begins by downloading pirated WordPress themes or plugins. When the official WordPress marketplace of themes or plugins is not enough, there are plenty of reputable stores which also may offer free content as well. Downloading a pirated version of anything always runs the risk of infection, especially when there is easy access to source code by anyone with a copy of the product. Binary Defense highly recommends avoiding the use of pirated plugins or themes and instead sticking with free, open source or officially purchased ones instead. It is also critically important to keep WordPress and all plug-ins updated with the latest security patches. WordPress sites are constantly targeted by attackers scanning for unpatched vulnerabilities. Once compromised, WordPress sites are often used to host malware files or set up as a proxy server to attack other companies.

For more information, please see:
https://blog.prevailion.com/2020/02/phps-labyrinth-weaponized-wordpress.html
https://www.zdnet.com/article/wordpress-botnet-deploys-anti-adblocker-script-to-make-sure-its-spammy-ads-are-profitable/
https://www.zdnet.com/article/an-inside-look-at-wp-vcd-todays-largest-wordpress-hacking-operation/