An active supply chain campaign that has been ongoing since late 2017 has infected at least 20,000 websites via malicious WordPress themes and plugins, Prevailion reports.
Dubbed PHPs Labyrinth, the campaign used 30 different WordPress marketplace platforms to distribute trojanized versions of premium themes. All the suspicious sites feature a similar template and all seem to be operated by the same threat actor.
The most prominent platform distributing the trojanized themes appears to be Vestathemes[dot]com, which claims to be offering thousands of pirated WordPress themes and plugins.
While they discovered signs of compromise on over 20,000 websites all around the world, Prevailion researchers believe that the number of infected sites is much higher, “potentially in the hundreds of thousands.”
Once the victim uploads a trojanized theme, the attackers gain full control over the server, being able to add their own administrative account and recover the web admin’s email and WordPress password hash.
In most cases, the infected servers were added to the Propeller Ads advertising network, which is associated with malvertising, the Fallout exploit kit, and other malicious activities, the researchers note.
All of the trojanized themes contain the “class.theme-module.php” or “class.plugin-modules.php” file, which is added by the attackers. The file can change the command and control (C&C) node periodically, retrieves and writes a first stage C&C, and performs reconnaissance.
The file then checks for the presence of certain files, such as post.php and wp-vcd.php, and creates them if they are not found. Once the new wp-vcd.php file was created, class.theme-module.php is deleted.
Initially, the adversary used CloudFlare, but moved all its sites to a single IP address between December 2019 and January 2020, after Wordfence exposed the attack in November 2019. The threat actor also removed secondary and tertiary communications channels from the infected sites.
Prevailion says the threat actor is using the first stage C&C server to add code to existing files on the infected servers, to run the wp-vcd.php file and download additional code. This includes a persistent cookie served to site visitors arriving from Google, Yahoo, Yandex, MSN, Baidu, Bing, or DoubleClick.
A new segment of code added to functions.php also sends out information such as IP address, bot number, pack, and the user-agent string of the machine. The researchers identified multiple domains referenced in the code, but believe that some of them are relays.
The attackers also attempted to raise the search engine optimization (SEO) profile of their sites, through running a series of commands on the compromised domains. At some point, they also added anti-adblocker code and used it since at least September 2019.
While the victims are spread all around the world across multiple sectors, suggesting that this was not a targeted attack, the researchers did notice that small to medium sized businesses accounted for more than a fifth of compromised entities.
More prominent victims include a decentralized crypto-mining website, a U.S.-based stock trading firm, a small U.S. bank, a government-run petrochemical organization, a U.S. insurance company, a large U.S. manufacturer, a U.S. payment card solutions organization, and an IT services organization in the U.S.
“At this time, the threat actor seems content with generating revenue off the advertising aspect of this campaign; however we cannot ignore the fact that in its present state, it has metastasized into a massive botnet, with all the potential issues that represents. This could also have far reaching impact as it gives other criminals a platform to perform malvertising and use various exploit kits to amplify their reach,” Prevailion concludes.