Status
Not open for further replies.
S

sinu

This new campaign seems to be utilizing the Neutrino Exploit Kit and uses a combination of hacked WordPress sites, hidden iframes, Internet Explorer, a Hacking Team Flash exploit, and the CryptoWall ransomware.

A complicated, yet effective infection cycle
As Zscaler researchers are explaining, the starting point of this new campaign resides with over 2,600 hacked WordPress sites, to which attackers have gained login credentials, infecting over 4,200 pages with a hidden iframe that silently redirects users to malware-infected landing pages.

As a common pattern, all hacked WordPress sites seem to be running a version of the CMS of 4.2 and prior.

On these landing pages, a single Flash SWF file is served, but only to Internet Explorer users and only once, file which leverages the CVE-2015-5119 Flash zero-day exploit to infect the user's PC with a CryptoWall ransomware.

The campaign is undetected by most antivirus vendors
Zscaler researchers noted that the initial Neutrino Flash SWF file contains a secondary SWF, which is eventually used to deliver the malware payload.

This latter SWF file delivers an encrypted executable file, which installs a version of the CryptoWall 3.0 malware, effectively locking the user out of his own files.

Only one AV vendor was able to detect the first SWF file as malicious, while the second SWF file triggered alarm bells for only two vendors, different from the first.

Since detection is quite low for this newer version of the Neutrino Exploit Kit and CryptoWall ransomware is near impossible to remove without paying the ransom, we recommend dropping Internet Explorer as soon as possible.
 
  • Like
Reactions: NekoJonez

NekoJonez

New Member
I guess it is for WordPress based sites which includes blogs as well.You can find if there are any redirectors using exploit scanner or you can also use
Theme Authenticity Checker (TAC) to find out hidden links in your theme. It is not going to hurt you if you check your .htaccess file.
Thanks, but you have two kind of WordPress sites. WordPress as CMS or WordPress.org... Which one is affected or both?
 

NekoJonez

New Member
And there we come at an annoying bit... I have a WordPress.org site and I don't even know which version it's running on.
 

VirusAttak

Level 4
It is quite easy to know your wordPress version If you haven't hidden it.
See at the bottom of your dashboard "Thanks for creating with WordPress" next to it you will find the wordPress version, alternatively you can check in readme file found in your installation directory
And there we come at an annoying bit... I have a WordPress.org site and I don't even know which version it's running on.
 
Status
Not open for further replies.
Top