We are seeing dozens of WordPress sites compromised recently with the same malicious code redirecting to the Angler exploit kit.
The attack involves conditionally embedded large snippets of code at the bottom of the sites’ source page. It is important to stress this is a conditional injection because webmasters trying to identify the issue may not see it unless they browse from a fresh IP address and a particular user-agent (Internet Explorer being the most likely to get hit).
In the last few days, we saw some popular blogs being impacted, includingblogs.independent.co.uk the blog for UK’s newspaper The Independent.
WordPress compromises
The rogue code loads a Flash video file from a suspicious top-level domain name such as .ga, .tkor .ml which is used to redirect visitors to the Angler exploit kit. This is the same attack pattern we documented over a year ago (Exposing the Flash ‘EITest’ malware campaign).
It’s quite likely these compromises are happening through known vulnerabilities in either WordPress or one of its plugins. According to SiteCheck from web security company Sucuri, The Independent‘s blog was running an old version of WordPress (2.9.2). The latest WordPress version is 4.3.1.
This particular ‘EITest campaign’ never actually stopped and saw an increase in the last few months which has been sustained up until now.
Angler EK
Angler EK exploits Flash Player up until version 19.0.0.207, which was patched by Adobe on October 16.
Malwarebytes Anti-Exploit blocks this attack thanks to its proactive exploit mitigation. Unprotected users would have been infected with the Tinba banking Trojan.
We informed The Independent about this compromise but have not heard back from them. If you are a site owner, remember to always keep your website and its CMS up to date. It’s also important to use proper passwords and harden the infrastructure as much as you can to reduce the surface of attack.
If your WordPress site has been affected, keep in mind that the malicious injected code is just part of the symptoms from having your site hacked. It’s important to identify backdoors, .htaccessmodifications as well as the original entry point, by looking at your access and error logs.
IOCs:
- Regex to find embedded redirection URLs: \.php\?(s|)id\=[A-Z0-9]{50}
- Flash redirector (.tk domains): 1168ccce0808ee8214dbccb080772ea4
- Flash exploit (Angler): eed1e7fb49a23c9845015796f1b17449
- Malware: 31fe96da59ca2b57deaa81d113aba2d2
Source:https://blog.malwarebytes.org
Working as a cyber security solutions architect, Alisa focuses on application and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.