Denis Sinegubko (a security researcher from Sucuri) has discovered a new wave of the known malware wp-vcd that injects malicious WordPress admin users into vulnerable or hacked websites.
The researcher said that the wp-vcd malware is preinstalled inside pirated WordPress premium themes published for download for free on some websites, he noticed that the malicious code was loaded via the include function and injected malicious code into WordPress core files such as functions.php and class.wp.php.
According to Sucuri:
it was injecting its code on “wp-includes/class.wp.php”, this is an outdated strategy to avoid being detected by the unaware user; since nobody wants to delete WordPress core files and risk the site integrity. However, as security tools become more and more popular, this strategy fails. It’s now pretty easy for any tool to detect modifications on core files. And, since theme files are changed constantly, they found a better place to hide it.
The malware runs by adding a hidden admin user to the website’s database, with the username “100010010”. The hackers will use this secret account to access the affected websites so they can perform several malicious activities at later times.
The code is also straightforward and doesn’t cover its malicious intentions by encoding or obfuscation of functions…
Websites administrators are recommended to install themes and plugins only from trusted locations.