Free trojanized WordPress themes lead to widespread compromise of web servers

Over 20,000 web servers (and who knows how many websites) have been compromised via trojanized WordPress themes to deliver malware through malicious ads, Prevailion researchers have discovered.

The compromised servers are located across the globe and more than a fifth of all compromised entities are small to medium sized businesses.

“This is most likely due to the fact that many lack the necessary funding or human capital to build a completely custom website, unlike larger, more established firms,” the company noted.

The scheme

The cybercriminals behind this scheme have been at it since late 2017 and they are not stopping.

They are taking advantage of the widespread use of the WordPress content management system, an increased demand for premium themes and victims’ lack of security awareness to get them to unknowingly compromise their own web servers.

To do that, they’ve set up as many as 30 websites that ostensibly offer thousands of free, pirated WordPress themes and plugins and hosted the trojanized themes and plugins on them – among the most popular ones were Ultimate Support Chat, WooCommerce product filter and Slider Revolution.

Oblivious victims download and install the trojanized packages, which drop malicious files that allow the criminals to gain full control over the web server. They can then add an administrative account, recover the web admin’s email account and WordPress password hash, and possibly recover the password from it. (If the admin used the same password for other accounts, it may even allow them to access so some corporate resources.)

The delivered loader, first and second stage malware do things like:

• Establish communications with the C&C server
• Download additional files from it
• Add a persistent cookie to website visitors who came to the site from one of several search engines and add their IP address to a list
• Collect information about the compromised machine

They also allow the criminals to add web links or keywords to existing or new web pages on the compromised domain (to raise the sites’ SEO profile), display ads on the visited webpage even if the end-user is using an ad-blocker, and deliver either legitimate or malicious ads via the advertising service Propeller Ads.

“In numerous cases, the advertisements were completely benign and would direct the end user to a legitimate service or website. In other cases however, we observed pop-up ads prompting the user to download potentially unwanted programs (PUP),” the researchers noted.

In other cases, the ad would redirect them to a domain hosting an exploit kit. If successful, the kit would drop a malware downloader onto the victim’s machine.

What can you do?

The researchers advise organizations to avoid using pirated software, enable and update Windows Defender if their web server is running Windows, and not to reuse passwords across multiple accounts.

End users should regularly update their OS and software and consider using a plugin like NoScript to prevent remote JavaScript code from running on their machine.

The researchers named the malicious sites offering the trojanized themes and offered indicators of compromised that can help organizations check and detect whether their web servers have been compromised.