In recent days, users have been infected with a different version of wp_vcd. In this most recent version of wp_vcd, the malware payload containing the malicious links is dropped in a
wp_includes/wp_xxx.php file instead of the
wp-vcd.php file. To detect the new version, you must search for the following strings in your files:
- "apu.php?zoneid"
- "notice.php?p"
- "ntfc.php?p"
You can locate the "themes level" infection by using the following string in your search:
"if (isset($_REQUEST['action']) && isset($_REQUEST['password'])"Another key feature is the malicious domains associated with the latest variant of wp_vcd. Payload analysts have identified the following domains to be injecting the malware:
- go.onclasrv[.]com
- go.mobisla[.]com
- luckypushh[.]com
- go.mobtrks[.]com
Upon execution, the payload then redirects visitors to other websites. For instance, in the example below, visitors accessing go.onclasrv[.]com will be redirected to cobalten[.]com, which currently displays an empty page: