Mysterious spike in WordPress hacks silently delivers ransomware to visitors

Researchers still aren't sure how the sites are getting compromised.

Dan Goodin – Feb 4, 2016 8:00 PM | 82

If you're a gamer (or anyone else), this is not a screen you want to see. Credit: Bromium Labs

It's still not clear how, but a disproportionately large number of websites that run on the WordPress content management system are being hacked to deliver crypto ransomware and other malicious software to unwitting end users.

In the past four days, researchers from three separate security firms have reported that a large number of legitimate WordPress sites have been hacked to silently redirect visitors to a series of malicious sites. The attack sites host code from the Nuclear exploit kit that's available for sale in black markets across the Internet. People who visit the WordPress sites using out-of-date versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight, or Internet Explorer can then find their computers infected with the Teslacrypt ransomware package, which encrypts user files and demands a hefty ransom for the decryption key needed to restore them.

"WordPress sites are injected with huge blurbs of rogue code that perform a silent redirection to domains appearing to be hosting ads," Malwarebytes Senior Security Researcher Jérôme Segura wrote in a blog post published Wednesday. "This is a distraction (and fraud) as the ad is stuffed with more code that sends visitors to the Nuclear Exploit Kit."

According to a Monday blog post published by website security firm Sucuri, the compromised WordPress sites he observed have been hacked to include encrypted code at the end of all legitimate JavaScript files. The encrypted content is different from site to site, but once decrypted, it looks similar to that shown in the image below:

To prevent detection by researchers visiting the compromised site, the code takes pains to infect only first-time visitors. To further conceal the attack, the code redirects end users through a series of sites before delivering the final, malicious payload. Sucuri said Google's Safe Browsing mechanism—which browser makers use to help users avoid malicious websites—had blacklisted some of the Internet domains used in the ruse. A post published Thursday by Heimdal Security, however, listed a different domain, leaving open the possibility that the attackers are regularly refreshing as old ones get flagged.

Heimdal Security also warned that antivirus programs may do little to protect end users. During the latest leg of the campaign, for instance, the exploit code was detected by just two of the 66 leading AV packages, while the payload it delivered was also limited (the blog post didn't provide specifics).

Driveby attacks not just on porn sites anymore

The attacks are the latest reminder that people can be exposed to potent malware attacks even when visiting legitimate websites they know and trust. The best defense against such driveby attacks is to install security updates as soon as they become available. Other measures include running Microsoft's Enhanced Mitigation Experience Toolkit on any Windows-based computers and using the 64-bit version of Google's Chrome browser if possible.

It's not yet clear how the WordPress sites are getting infected in the first place. It's possible that administrators are failing to lock down the login credentials that allow the site content to be changed. It's also feasible that attackers are exploiting an unknown vulnerability in the CMS, one of the plugins it uses, or the operating system they run on. Once a system is infected, however, the website malware installs a variety of backdoors on the webserver, a feature that's causing many hacked sites to be repeatedly reinfected. As Sucuri researcher Denis Sinegubko wrote:

The malware tries to infect all accessible .js files. This means that if you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination. It’s not enough to clean just one site (e.g. the one you care about) or all but one (e.g. you don’t care about a test or backup site) in such situations – an abandoned site will be the source of the reinfection. In other words, you either need to isolate every site or clean/update/protect all of them at the same time!

People running WordPress sites should take time to make sure their servers are fully patched and locked down with a strong password and two-factor authentication. This post will be updated if researchers uncover a cause of this ongoing hack campaign. Until then, admins and end users alike should stay vigilant for signs one of their systems is being targeted and follow the usual best practices listed earlier.