This post I ghostwrote for CloudLinux’s Imunify360 blog describes how a new piece of WordPress malware was neutralized. I wrote it after talking with the DevOps staff, then boiling down the information into a concise description of the threat. My original text of the post is below.
Neutralizing Malware from the WPNull24 Site
The Imunify security team has identified a new threat: wpnull24.com, a site that provides “nulled” (modified for free use) WordPress themes that are infected with malware. These themes are particularly dangerous because installing one infects all of a site’s themes, plugins, and core WordPress files.
wpnull24.com represents a serious threat because it’s such a popular site, attracting over 50,000 visitors per day. Let’s examine how its nulled-theme malware works, see what identifies it, and learn how to neutralize it.
How this WordPress malware works
Once an infected theme is installed and activated, the theme’s functions.php file executes a malicious script in class.php:
The class.php file contains this malicious code:
The malicious code in class.php then infects the WordPress core file wp-load.php, along with other existing plugins and theme files. It uses the injections, samples, and hashes below to drop standalone malware files:
This malware also upgrades and disguises itself:
- The file class.php is version 3 when downloaded, but after activation it upgrades itself to version 7.
- It self-whitelists in popular security plugins such as Wordfence and AllInOneSecurity.
It does that with the following code:
Here’s a diagram of the full infection scheme:
Here are code samples from a few of the malicious files:
How is this malware identified?
Some malicious samples contain the following code…
…where the value decodes to hxxp://connect.apies.org/. This appears to be an admin center for the malware.
This malware appears to be solely WordPress-based, so a WordPress installation will contain the initial dropper file:
It will contain these other files as well:
These grep patterns can also indicate infection:
As can these standalone malware sha256sums:
How can this malware be neutralized?
If you’re using Imunify360, you should do these things to neutralize the malware in wpnull24.com themes:
Enable “real-time“ malware scans. Here are instructions on how to do that.
- Run malware scan and perform cleanup. The malicious code in the themes includes these malware signatures:
- Change compromised WordPress admin and database credentials, and related FTP credentials as well. If any credentials have been compromised, they’ve already been sent to the malware’s command center.
- Set Proactive Defense to KILL mode. Its rules can prevent both the initial installation of this malware, and the spread of malware that’s already been installed.
How has the Imunify team responded?
The Imunify security team has emulated the server infection and identified all malicious actions. The malicious code has been labeled with corresponding signatures, which have been released to Imunify production versions.
The team has also detailed the malware spread scheme, and they’re using this “map” to protect servers against malicious theme installation and potential malware drop events.
In the upcoming version of Imunify360, Proactive Defense prevents the installation of this malware, both by blocking its include/execution code, and by employing rules created to cover its attack scheme. WAF will also block any malware access attempts.
Please share your feedback
The Imunify product team would like to hear from you. To share your ideas and observations, please send them to us at feedback@cloudlinux.com.
If you have questions on how to use Imunify360, or you’d like to resolve a support issue, please contact the Imunify360 support team at cloudlinux.zendesk.com.