Researchers at WordFence have eyed a recent uptick in attacks on WordPress involving WP-VCD backdoor malware. Since August 2019, no other WordPress-targeting malware has yielded a higher rate of new infections that WP-VCD, the company reported this week in a blog post and in-depth white paper.

Such findings suggest that the malware, whose main purpose is to enable black hat SEO and malvertising activity, continues to pay off for attackers since it was first reported in the wild as far back as February 2017.

Website developers and administrators who use WordPress are typically infected with WP-VCD upon downloading malicious plugins or themes from unofficial third-party sites, states the Wordfence report, authored by Mikey Veenstra. Thanks to the attackers’ mastery of SEO, these pirated or “nulled” software programs can often be found on websites with high Google search term rankings, making them seem credible.

Once activated, the malware executes a deployer script that compromises the site by injecting backdoors into already installed themes, the report continues. Sneakily, this deployer eventually removes its own code from the malicious theme or plugin to hide evidence of the crime.

The backdoor relies on a robust C2 infrastructure with multiple redundancies to maintain its persistence, and it can further propagate itself by moving laterally through an affected hosting environment and scanning for and infecting other WordPress sites that share this environment. And some versions of the malware have even been known to introduce a second backdoor by creating attacker-controlled administrator accounts, Wordfence explains.

Attackers profit from WP-VCD through the injection of malvertising code that generates pop-up ads, initiates dangerous redirects or opens up new browser tabs that lead to shady content. Meanwhile, the search engine manipulation, achieved via black hat SEO techniques, leads more unsuspecting victims back to the malicious plugin sites. The components responsible such functionality are delivered to the infected WordPress sites via the C2 server at the time of the threat actor’s choosing.

“If legitimate plugins purchased from known sites are vulnerable, you can imagine the hazards that come with obtaining a pirate copy from a rogue site for free. In fact, nothing is truly free,” said Mike Bittner, associate director of digital security and operations for The Media Trust, in emailed comments. “These sites ensnare website operators with pirate copies so they can compromise site users’ machines for theft or fraud.”

“The security and privacy risks with legitimate plugins are high since too many have not been designed with strong defenses,” Bittner continued. “The most potent defense for today’s site owners is to stay far left of any breaches by maintaining a mindset that anticipates risks at every turn. Carefully vet what is allowed to run on a website and continually monitor that site. Anything out of the ordinary will harm users or erode user experience.”