- Jun 9, 2013
- 6,720
Sites exploited by SoakSoak bots give the gift of CryptXXX malware.
If you've visited the do-it-yourself project site of Dunlop Adhesives, the official tourism site for Guatemala, or a number of other legitimate (or in some cases, marginally legitimate) websites, you may have gotten more than the information you were looking for. These sites are redirecting visitors to a malicious website that attempts to install CryptXXX—a strain of cryptographic ransomware first discovered in April.
The sites were most likely exploited by a botnet called SoakSoak or a similar automated attack looking for vulnerable WordPress plugins and other unpatched content management tools, according to a report from researchers at the endpoint security software vendor Invincea. SoakSoak, named for the Russian domain it originally launched from, has been around for some time and has exploited thousands of websites. In December of 2014, Google was forced to blacklist over 11,000 domains in a single day after the botnet compromised their associated websites by going after the WordPress RevSlider plugin.
In this recent wave of compromises, SoakSoak planted code that redirects visitors to a website hosting the Neutrino Exploit Kit, a "commercial" malware dropping Web tool sold through underground marketplaces. The latest string of compromises appears to have begun in May. But since then, both the malware kit and the ransomware have been upgraded. The latest version of the exploit kit attempts to evade security software or virtual machines.
"Once a victim is redirected to the Neutrino Exploit Kit, the endpoint is scanned to check if it is using any security software such as VMWare, Wireshark, ESET, Fiddler, or a Flash player debugging utility," Pat Belcher of the endpoint security software vendor Invincea wrote in a blog post. "If those programs are not present on the victim host the Command Shell is opened and the windows utility of Wscript is accessed to download the ransomware payload from a Command and Control server."
Full Article. Wave of business websites hijacked to deliver crypto-ransomware
If you've visited the do-it-yourself project site of Dunlop Adhesives, the official tourism site for Guatemala, or a number of other legitimate (or in some cases, marginally legitimate) websites, you may have gotten more than the information you were looking for. These sites are redirecting visitors to a malicious website that attempts to install CryptXXX—a strain of cryptographic ransomware first discovered in April.
The sites were most likely exploited by a botnet called SoakSoak or a similar automated attack looking for vulnerable WordPress plugins and other unpatched content management tools, according to a report from researchers at the endpoint security software vendor Invincea. SoakSoak, named for the Russian domain it originally launched from, has been around for some time and has exploited thousands of websites. In December of 2014, Google was forced to blacklist over 11,000 domains in a single day after the botnet compromised their associated websites by going after the WordPress RevSlider plugin.
In this recent wave of compromises, SoakSoak planted code that redirects visitors to a website hosting the Neutrino Exploit Kit, a "commercial" malware dropping Web tool sold through underground marketplaces. The latest string of compromises appears to have begun in May. But since then, both the malware kit and the ransomware have been upgraded. The latest version of the exploit kit attempts to evade security software or virtual machines.
"Once a victim is redirected to the Neutrino Exploit Kit, the endpoint is scanned to check if it is using any security software such as VMWare, Wireshark, ESET, Fiddler, or a Flash player debugging utility," Pat Belcher of the endpoint security software vendor Invincea wrote in a blog post. "If those programs are not present on the victim host the Command Shell is opened and the windows utility of Wscript is accessed to download the ransomware payload from a Command and Control server."
Full Article. Wave of business websites hijacked to deliver crypto-ransomware
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}