These free WordPress themes and plugins might contain malware. Avoid their installation

WordPress is probably the most popular content management system (CMS) today, so it’s no wonder it’s also the subject of multiple cybersecurity threats. According to cybersecurity experts, the most serious of these threats is a criminal campaign deployed by a group identified as WP-VCD, from which most hacking incidents against WordPress sites stem.

A report published by the specialized platform ZDNet provides extensive details about this attack campaign, addressing one topic with special interest: the fact that these hackers do not exploit vulnerabilities to infiltrate compromised sites and Install backdoors, but they use pirated versions of legitimate WordPress themes and plugins, so they should just wait for a website administrator to download and install the infected software.

Cybersecurity experts detected multiple signs of these hackers’ activity on fraudulent websites, offering pirated versions of paid WordPress plugins and themes. In addition, all of these malicious sites have good rankings in search results because they receive keyword boost from all WordPress sites that have already been hacked, cybersecurity experts report, so it’s really easy for a user to find this malware.

The sites where this malicious activity was detected are:

  • www.download-freethemes.download
  • www.downloadfreethemes.co
  • www.downloadfreethemes.space
  • www.downloadnulled.pw
  • www.downloadnulled.top
  • www.freenulled.top
  • www.nulledzip.download
  • www.themesfreedownload.net
  • www.themesfreedownload.top
  • www.vestathemes.com

To check this behavior, cybersecurity experts performed a Google search, entering the name of some popular WordPress themes along with the word ‘download’, discovering that the first page of results shows at least three of these sites.

After website administrators download any of the infected plugins or themes, it’s only a few seconds before their WordPress site is fully compromised. Downloading these components adds a backdoor identified as ‘100010010’ to the target site, ensuring that hackers have a way to access the installation.

Subsequently, the WP-VCD malware is added to all the topics used on the site, to prevent it from disappearing from the system due to a possible de-installation. Finally, if the malware acts in a shared hosting environment, it can be spread to other servers, infecting other sites hosted on the same system. 

According to the experts of the International Institute of Cyber Security (IICS), the main goal of these hackers is to use the hacked sites to create a botnet and, from a C&C, control all the activities of these sites.