An inside look at WP-VCD, today's largest WordPress hacking operation

A Wordfence report shared exclusively with ZDNet shows how the gang and its malware operates, what they're after, and how to avoid becoming their next victim.
Written by Catalin Cimpanu, Contributor

Today's top WordPress malware threat is a criminal operation known as WP-VCD, currently responsible for the vast majority of hacked WordPress sites, according to a Wordfence report shared exclusively with ZDNet.

The report details in great depth how the WP-VCD gang is spreading their malware, how the malware works down to its nuts and bolts, what are the crooks' end goal, and OpSec leaks that may have exposed one of the members' true identity.

Spreading via pirated themes and plugins

But if there's one theme in the entire report is that these infections could have been very easily avoided. The WP-VCD gang does not use vulnerabilities to break into sites and install backdoors.

Instead, they rely on webmasters infecting themselves by downloading and installing pirated (nulled) themes and plugins for their WordPress sites.

The gang operates a large network of websites -- see list below -- where they offer boobytrapped pirated themes and plugins. On these sites, the group offers free downloads of popular commercial themes, usually sold on private stores or on popular sites like ThemeForest or CodeCanyon.



All these sites for distributing the boobytrapped pirated themes and plugins have phenomenal SEO. They rank well in search results because these sites are all getting a keyword boost from all the currently hacked sites that have been infected with the WP-VCD malware -- in a classic evil loop effect.

Searching for the name of any popular WordPress theme and the "download" term usually yields up to two or three of these bad sites, right at the top of Google search results.

This effectively guarantees a fresh stream of victims landing on the malicious sites on a daily basis, feeding new victims into the WP-VCD botnet.


A WP-VCD infection is usually pretty bad

Once users install any of the boobytrapped themes and plugins they downloaded from these distribution sites, their WordPress installations are hacked and taken over within seconds.

For starters, a backdoor account with the name 100010010 is added to each site, ensuring that the WP-VCD operators have a way of accessing each victim's installation using a legitimately registered user.

Second, the WP-VCD malware is added to all of the site's themes. This is done in case the user is only testing pirated themes. In case they don't go with the infected one, the WP-VCD code still runs from within the other themes.

Third, if it's a shared hosting environment, the malware also spreads to the underlying server, infecting other sites hosted on the same system -- effectively penalizing users who invested in their site's security, only to be outdone by a bumbling webmaster next door.

How WP-VCD crooks make their money

The purpose of all of this is to create a botnet of hacked sites that report back to a central command and control (C&C) network. From there, the WP-VCD gang can control what happens to all the hacked sites.

According to Wordfence, the group has generally focused on two avenues. The first is for their own benefit and involves inserting keywords and backlinks back to their distribution sites.

This way, all the hacked sites help improve the distribution sites' visibility in search results, feeding the botnet new gullible webmasters.

The second avenue is how the WP-VCD gang makes its money, namely malvertising. Per Wordfence analyst Mikey Veenstra, the WP-VCD gang inserts ads on hacked websites. These ads often contain additional malicious code that sometimes opens popups or redirect users to other malicious sites.

The WP-VCD gang is making money via the ads, but also from these pay-per-user redirections, funneling would-be victims to another gang's malware operation.

Hacking WordPress sites since 2017

This complex modus operandi wasn't built in a day. WP-VCD has been around since at least February 2017, becoming more and more prevalent over the course of that year [1, 2].

Nowadays, Wordfence says WP-VCD is today's top hacking group on the WordPress landscape.

"According to malware scan results across the Wordfence network, WP-VCD is installed on more new sites per week than any other malware in recent months," Veenstra said.

"The malware's prevalence is surprising since the campaign itself has been active for more than two years," the Wordfence analyst added, referring to the fact that most campaigns die out as webmasters deploy countermeasures.

But because WP-VCD exploits the human factor (users looking to install commercial themes without paying), there's no amount of patching or firewalls that can prevent WP-VCD infections.

Down the rabbit hole

But this deep dive into WP-VCD's operation has also unearthed some clues about who might be behind it. Wordfence says that while the vast majority of domains used by the WP-VCD gang have been registered using privacy protections, some older ones slipped through the cracks.

Specifically, some domains were registered by a man named Sharif Mamdouh, Wordfence said.

Furthermore, some of the WP-VCD domains were also linked to hacks on Joomla sites going as far back as 2013, according to complaints and hack details some Joomla site admins shared on support forums.

However, it is unclear if this is a legitimate name, or a stolen identity. Tracking down the WP-VCD gang will require additional investigations, and most likely, law enforcement involvement.

In the meantime, WordPress site owners should keep in mind that when something is free, then "you're the product" -- in this case, your site, which has now been corralled into a cybercrime operation.

Installing pirated content in 2019 is definitely a security no-no, and should never be done, regardless if it's a desktop app or a WordPress theme.

For a closer look at the WP-VCD campaign, the Wordfence report can be downloaded from the company's site.

Provision a WordPress site in 30 minutes or less using Amazon AWS Lightsail

Editorial standards