Security Alert: Ransomware Delivered by Compromised WordPress Websites

Our team warns that a disproportionate amount of websites that employ the WordPress platform have been compromised by cyber criminals.

Hundreds of WordPress websites spreading malware

The attackers fed obfuscated Javascript code to these websites. The users who end up on the hacked websites are redirected on a domain called “chrenovuihren” via multiple servers. You can see a typical infection chain below: [Compromised, legitimate Website running WordPress] -> http:// js[.]chrenovuihren [.] Org / mobile /? Id = [campaign ID] & keyword = [coded ID] The many malicious scripts injected into WordPress websites move all the traffic to the domain called “chrenovuihren”, where all the users see the following title: [title] Advertised [/ title] This online advertisement forces the traffic to the servers that host the exploit kit, which all try to exploit vulnerabilities on the victim’s system. The attackers manage to achieve this by using the Nuclear exploit kit, which is available commercially via the exploit kits-as-a-service model. Nuclear can exploit vulnerabilities in:

• Adobe Flash Player
• Adobe Reader / Acrobat
• Internet Explorer
• Silverlight.

Hundreds of servers hosting WordPress-based websites have already been compromised.

Cyber criminal infrastructure details

We can also confirm that the following IP addresses are active Nuclear gateways (sanitized by Heimdal Security): 159,203.24 [.] 40 164,132.80 [.] 71 162,243.77 [.] 214 Cyber criminals know that moving fast is key for maintaining their anonymity. So please note that the campaign makes use of several domains to deliver the malicious code, which is why active servers can quickly change depending on which IP as DNS lookup they use. A small selection of the malicious domains involved in this campaign is reproduced below (sanitized by Heimdal Security): [% Subdomain%]. Chrenovuihren [.] Com [% Subdomain%]. Chrenovuihren [.] Biz [% Subdomain%]. Chrenovuihren [.] Net [% Subdomain%]. Chrenovuihren [.] Org If the victim’s computer is not properly updated, then the system will be fed Teslacrypt ransomware. What’s more, this Teslacrypt variant is identical to the other ransomware strains, so Cryptowall or other ransomware types could also infect the victim’s PC. We have already blocked more than 85 domains that are being actively used in this campaign, and the list will most likely increase. As you can see, antivirus detection of exploit code is low: only 2/66 on VirusTotal. Meanwhile, the payload also achieves only limited detection. Click here for the full detection rate on VirusTotal at the time the campaign was announced.

Conclusion

These details make this particular malware campaign a massive one, and the trends is likely to continue. Only 3 days ago, Sucuri Security also announced a huge campaign targeting WordPress websites in which cyber criminals “injected encrypted code at the end of all legitimate .js files”. The same group of attackers behind both campaigns, but that information is not confirmed. With fileless malware infections and commercially-available exploit kit, the cyber crime scene is getting more complicated by the day. This is why we urge website owners that use WordPress to secure their servers and Internet users to follow key recommendations to get protected against ransomware:

• Keep software and your operating system updated at all times
• Backup your data, do it often and in multiple locations
• Use a security tool that can filter your web traffic and protect you against ransomware, which traditional antivirus cannot detect or block.

If you liked this post, you will enjoy our newsletter.

Get cybersecurity updates you'll actually want to read directly in your inbox.

I agree to have the submitted data processed by Heimdal Security according to the Privacy Policy