A massive malware campaign has been found targeting WordPress websites.
The sites were compromised via obfuscated Javascript code, and they all redirect users to a domain hosting the Nuclear exploit kit, which is available commercially via the exploit kits-as-a-service model. The EK then scans for vulnerabilities in Flash, Adobe Reader or Acrobat, Internet Explorer and Silverlight; and, if a flaw is found, the infection delivers TeslaCrypt; what’s more, this Teslacrypt variant is identical to the other ransomware strains, so Cryptowall or other ransomware types could also infect the victim’s PC.
According to Andra Zaharia, marketing communications manager at Heimdal Security, hundreds of servers hosting WordPress-based websites have already been compromised. Further, antivirus detection of exploit code is low: only 2/66 on VirusTotal. Meanwhile, the payload also achieves only limited detection.
“Cyber criminals know that moving fast is key for maintaining their anonymity,” she said, in a blog. “So please note that the campaign makes use of several domains to deliver the malicious code, which is why active servers can quickly change depending on which IP as DNS lookup they use.”
Heimdal has already blocked more than 85 domains that are being actively used in this campaign.
“These details make this particular malware campaign a massive one, and the trend is likely to continue,” Zaharia said. “With fileless malware infections and commercially-available exploit kit, the cybercrime scene is getting more complicated by the day.”
WordPress is a fairly common target for cyber-attackers, given how widely used it is for content management for websites.
Website owners that use WordPress can secure their servers and users by keeping their software and their operating system updated at all times; backing up data, often and in multiple locations; and using a security tool that can filter web traffic and protect against ransomware, which traditional antivirus cannot detect or block.
Photo © Zerbor