This is an update for the long-lasting malware campaign targeting vulnerable plugins since January. Please check our previous updates below:
- Multi-Vector Attack in Server Logs: March 2019
- Plugins Added to Malicious Campaign - April 2019
- Malware Campaign Evolves to Target New Plugins: May 2019
- Plugins Under Attack: June 2019
- Plugins Under Attack: July 2019
- Plugins Under Attack: August 2019
- Plugins Under Attack: September 2019
- Plugins Under Attack: October 2019
Plugins Under Attack: November 2019
Although attackers focused on infecting sites via attack vectors described here, we were able to detect the same behavior aiming plugins at the very end of this month.
Plugins that are continuing to be leveraged by attackers are:
- Rich Reviews
- Blog Designer
- WP Live Chat Support
- Yellow Pencil Visual Theme Customizer
- Social Warfare
- Yuzo Related Post
Plugin Payloads Added to the Campaign
220.127.116.11 - action=simple_fields_do_import&import-json=%7B%0A++++%22field_groups%22%3A+%7B%0A++++++++%221%22%3A+%7B%0A++++++++++++%22id%22%3A+1%2C%0A++++++++++++%22key%22%3A+%22test%22%2C%0A++++++++++++%22slug%22%3A+%22test%22%2C%0A++++++++++++%22name%22%3A+%22test%22%2C%0A++++++++++++%22description%22%3A+%22%22%2C%0A++++++++++++%22repeatable%22%3A+false%2C%0A++++++++++++%22fields%22%3A+%5B%5D%2C%0A++++++++++++%22fields_by_slug%22%3A+%5B%5D%2C%0A++++++++++++%22deleted%22%3A+false%2C%0A++++++++++++%22gui_view%...skipped...%22deleted%22%3A+false%2C%0A++++++++++++%22hide_editor%22%3A+false%2C%0A++++++++++++%22added_with_code%22%3A+false%2C%0A++++++++++++%22field_groups_count%22%3A+1%0A++++++++%7D%0A++++%7D%2C%0A++++%22post_type_defaults%22%3A+%5B%0A++++++++false%0A++++%5D%0A%7D&import-what=textarea&simple-fields-import-type=replace [23/Nov/2019:13:02:05 +0000] "POST /wp-admin/admin-post.php HTTP/1.1"
Malicious Domains and IPs:
18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11
We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.