HackDig : Dig high-quality web security articles for hackers

«No Previous
No Next

Campaign of Compromised WordPress Websites Now Spreading Ransomware

2016-02-05 02:20

Three days ago we reported on a threat advisory issued by Sucuri researchers about a malicious campaign that leveraged compromised WordPress sites to push malware (Backdoor.Andromeda) via the Neutrino Exploit Kit.

Today, researchers from Heimdal Security are reporting about the same campaign, but say that they've seen it spreading a variant of the famous TeslaCrypt ransomware, a version with a very low detection rate on VirusTotal (2/56).

Heimdal Security researchers are saying they've blocked at least 85 domains used to spread the ransomware by now, but due to this campaign's specific make-up, this number is surely to go up in the following days.

What's strange about this particular attack on WordPress sites, is that whenever attackers compromise the websites, they use a malware strain that automatically injects all JavaScript files with malicious code. If other domains are also hosted on the same server, they're all infected as well, and if the developer attempts to clean one website, the other websites will infect it right back soon after.

This specific trait allowed the campaign to continue and even spread, and if at first it was just pushing annoying ads, two days later, Malwarebytes observed it started redirecting users to the Nuclear Exploit Kit.

Today things seem to have turned for the worst, and unless you're using an ad blocker or a security product that can detect these automatic hidden redirects, you probably won't notice anything fishy unless it's already too late.

TeslaCrypt ransom note
TeslaCrypt ransom note

Source: mcwRmcvdXLkV2cp12byBXbvNWLm9WLudWahBXbhN2LzdXZu9SbvNmLhlGZlBHdm92cuM3dl52LvoDc0RHa/ca.ssr.dps

Read:4623 | Comments:0 | Tags:Security Blog

“Campaign of Compromised WordPress Websites Now Spreading Ransomware”0 Comments

Submit A Comment



Blog :

Verification Code:


Tag Cloud