Have you ever wondered why malware is so hard to get rid of, and why, no matter how many times you run your malware scanner, infected files keep reappearing, as if by magic?
In this article, I’m going to show the inner workings of such persistent malware, by dissecting and unraveling some malware samples recently discovered by the Imunify360 cybersecurity product.
Wide-scale Brute Force Attacks Took Place on July 24, 2020

Brute force attacks are the most commonly spread type of cyber attack. The goal of the attacker is to gain access to a popular Content Management System (CMS) like WordPress and then use the CMS dashboard’s administrative permissions to perpetrate further infection of the website.
Our monitoring system detected a significant spike in the triggering of WordPress brute force protection rule on July 24. The attack lasted from 2am to 5pm UTC and consisted of approximately 15 million
Wide-scale Brute Force Attacks Took Place on July 24, 2020

Brute force attacks are the most commonly spread type of cyber attack. The goal of the attacker is to gain access to a popular Content Management System (CMS) like WordPress and then use the CMS dashboard’s administrative permissions to perpetrate further infection of the website.
Our monitoring system detected a significant spike in the triggering of WordPress brute force protection rule on July 24. The attack lasted from 2am to 5pm UTC and consisted of approximately 15 million
Imunify360 Live Webinar, Friday 14 August: New Features and Updates
Imunify360 Live Webinar, Friday 14 August: New Features and Updates
Customizing Google reCAPTCHA Keys

Prior to version 4.9, Imunify360 used embedded reCAPTCHA keys to show Google reCAPTCHA challenge for greylisted IP addresses and did not require any settings for captcha challenge. Starting from v4.9, Imunify360 admins can specify their own reCAPTCHA keys for the server.
In this article, you can find a step by step guide on how to set up a custom site and secret keys for your Imunify360 server.
Customizing Google reCAPTCHA Keys

Prior to version 4.9, Imunify360 used embedded reCAPTCHA keys to show Google reCAPTCHA challenge for greylisted IP addresses and did not require any settings for captcha challenge. Starting from v4.9, Imunify360 admins can specify their own reCAPTCHA keys for the server.
In this article, you can find a step by step guide on how to set up a custom site and secret keys for your Imunify360 server.
Vulnerable PressForward WordPress Plugin Was Available Almost a Year
.png)
The Imunify security team recently detected a vulnerable plugin in the WordPress plugin directory. It’s called PressForward, and it’s used to manage editorial workflow. This free plugin included an iframe that could be used to send visitors to a malicious web page.
The Imunify team identified the vulnerability in this plugin on the first of July, 2020. At the time it was discovered, the plugin was installed on 800+ websites, where it could be used to send visitors to phishing sites and conduct black SEO campaigns. The plugin’s change log indicates that it has been there for almost a year:
Vulnerable PressForward WordPress Plugin Was Available Almost a Year
.png)
The Imunify security team recently detected a vulnerable plugin in the WordPress plugin directory. It’s called PressForward, and it’s used to manage editorial workflow. This free plugin included an iframe that could be used to send visitors to a malicious web page.
The Imunify team identified the vulnerability in this plugin on the first of July, 2020. At the time it was discovered, the plugin was installed on 800+ websites, where it could be used to send visitors to phishing sites and conduct black SEO campaigns. The plugin’s change log indicates that it has been there for almost a year:
Neutralizing Malware From The WPNull24 Site
The Imunify security team has identified a security threat: a website, wpnull24.com, that provides WordPress themes infected with malware. This site offers “nulled” themes, or paid-for themes that have been modified so they can be downloaded for free.
The themes provided free of charge at wpnull24.com are particularly dangerous, because installing one of them infects all of a site’s themes, plugins, and core WordPress files with malware. Once a site is infected, it can be used for black SEO, phishing, and sending spam as well. Access to an infected site can also be sold to other cyber-criminals.
Neutralizing Malware From The WPNull24 Site
The Imunify security team has identified a security threat: a website, wpnull24.com, that provides WordPress themes infected with malware. This site offers “nulled” themes, or paid-for themes that have been modified so they can be downloaded for free.
The themes provided free of charge at wpnull24.com are particularly dangerous, because installing one of them infects all of a site’s themes, plugins, and core WordPress files with malware. Once a site is infected, it can be used for black SEO, phishing, and sending spam as well. Access to an infected site can also be sold to other cyber-criminals.
WAF (Web Application Firewall) Rules Auto-Configurator

The Web Application Firewall (WAF) is one of the key elements of Imunify’s web server protection system. It contains hundreds of rules to protect against all known (and some as-yet unknown) vulnerabilities.
Our rule-intensive WAF provides excellent protection, but it does have potential drawbacks. The more rules are included, the more resources Imunify can consume, and the slower the server can get. Also, including more rules can increase the number of false positives, or erroneously identified “threats.”
WAF (Web Application Firewall) Rules Auto-Configurator

The Web Application Firewall (WAF) is one of the key elements of Imunify’s web server protection system. It contains hundreds of rules to protect against all known (and some as-yet unknown) vulnerabilities.
Our rule-intensive WAF provides excellent protection, but it does have potential drawbacks. The more rules are included, the more resources Imunify can consume, and the slower the server can get. Also, including more rules can increase the number of false positives, or erroneously identified “threats.”
Malware Cleanup: A Safe Way To Remove Malicious Code from Wordpress Website

Over a typical 3-month span, the average server has around 1500 kinds of malware injected into its files. Lately, a great many of these injections have been occurring in WordPress installations. What should you do when malicious code is injected into WordPress files?
Malware Cleanup: A Safe Way To Remove Malicious Code from Wordpress Website

Over a typical 3-month span, the average server has around 1500 kinds of malware injected into its files. Lately, a great many of these injections have been occurring in WordPress installations. What should you do when malicious code is injected into WordPress files?
Fixing A Vulnerability In bbPress Plugin For WordPress

bbPress, a popular WordPress plugin, was recently found to contain a serious vulnerability.
How should bbPress users address it? The best way is to update the plugin and install the latest version. But if they can’t or don’t do this, Imunify has them covered. Read below to find out how.
Fixing A Vulnerability In bbPress Plugin For WordPress

bbPress, a popular WordPress plugin, was recently found to contain a serious vulnerability.
How should bbPress users address it? The best way is to update the plugin and install the latest version. But if they can’t or don’t do this, Imunify has them covered. Read below to find out how.
False Positive SMW-BLKH-46666-auto from Wordpress file
Description
8 Jun, 2020 new Black Hashes DB for Imunify products were released.
Release details:
UUID: 0d09db4d-8610-4a74-b026-1934bb1e9854
Date: 2020-06-08
By this update legitimate WordPress file wp-blog-header.php was rated as malicious with verdict SMW-BLKH-46666-auto which caused False Positive alerts.
False Positive SMW-BLKH-46666-auto from Wordpress file
Description
8 Jun, 2020 new Black Hashes DB for Imunify products were released.
Release details:
UUID: 0d09db4d-8610-4a74-b026-1934bb1e9854
Date: 2020-06-08
By this update legitimate WordPress file wp-blog-header.php was rated as malicious with verdict SMW-BLKH-46666-auto which caused False Positive alerts.
Fixing IMAP Performance Issues
What are the issues?
In some cases, users of Imunify360 v4.7 can experience issues with IMAP authorization performance. These issues are related to the amount of UDP traffic produced when Imunify360 protects a server against brute force mail attacks.
Fixing IMAP Performance Issues
What are the issues?
In some cases, users of Imunify360 v4.7 can experience issues with IMAP authorization performance. These issues are related to the amount of UDP traffic produced when Imunify360 protects a server against brute force mail attacks.