COVID-19 WordPress Malware

Many website administrators are adding Coronavirus (COVID-19) related plugins on their pages to inform their visitors about stats and the latest news regarding the pandemic. However, cybercriminals have noticed this opportunity to propagate various types of malware to unsuspecting users and website administrators.

The well-known WordPress WP-VCD malware has appeared as part of a new attack using Coronaviurs plugins on WordPress. The latest attacks open backdoors into web sites and give threat actors unprecedented access to those websites.

These WordPress infections spread through nulled and pirated WordPress plugins. The plugins have modified code that opens up a backdoor into themes installed on a WordPress site. The infected code also opens up backdoors on PHP files.

After infecting a WordPress site, WP-VCD then goes on to compromise other websites on the host. The malware also checks for new commands and instructions from the command and control (C2) server.

Infected WordPress plugins are nothing new. Threat actors use them to infect websites with popups or redirect legitimate traffic to one of their scams and other money-making websites.

WP-VCD Spread Via Pirated Coronavirus-Related WordPress Plugins

The researchers at MalwareHunterTeam shared samples of WordPress plugins that contained the “Trojan.WordPress.Backdoor.A” virus. The zip files for the plugins included the “COVID-19 Coronavirus – Live Map WordPress Plugin” along with “Covid-19” and “Coronavirus Spread Prediction Graph.” These plugins are installed on websites so visitors can track recent infections and learn more about how to prepare and respond to the pandemic.

Readme image for the pirated plugin

While the plugins all appeared legitimate, they also contained a PHP file called “class.plugin-modules.php.” The PHP file includes malicious code related to the WP-VCD plugin. The plugin takes the base64 encoded PHP code in the WP_CD_CODE variable and saves it to the /wp-includes/wp-vcd.php file.

The virus then adds code to the /wp-includes/wp-vcd.php file to automatically load the wp-vcd.php file when the page containing the plugin is loaded.

The malicious plugin scans the website for installed themes and adds additional code to each of them. Once the infection is completed, the Wp-VCD connects to the C2 server to await further instructions and commands.

The commands from the C2 server are typically used to affect the website, so it shows malicious ads or redirects users to other websites.

How to Protect Your WordPress Website Against WP-VCD

Given that the malware spreads via pirated WordPress plugins, it shouldn’t be too difficult to avoid. The easiest way to prevent infection is not to download and use pirated plugins in the first place. Also, avoid downloading any kind of plugin from a suspicious or unauthorized source.

WordPress plugins can be modified by anyone with a degree of PHP knowledge, making downloading, and using pirated plugins a risk.

There have been several cases involving threat actors using coronavirus and the panic caused by the pandemic to fuel phishing and malware attacks. Protect yourself and your website by only downloading and installing plugins from authorized sites. Avoid installing any kind of pirated plugin as this opens your website up to all sorts of trouble.