Word Press site compromised.

Don't just read, reply! Start your own threads, don't be shy, likeminded people may appreciate your thoughts! Talk about anything VNA related or not!
Post Reply
User avatar
DrDave47
Lt. Colonel
Posts: 2883
Joined: January 2nd, 2015, 12:08 am
Location: South of Anchorage, Alaska

December 13th, 2015, 8:34 pm

Reader’s Digest and other WordPress Sites Compromised, Push Angler EK

November 26, 2015 | BY Jérôme Segura

Update 12/01: Reader’s Digest contacted us and said they are working on the site’s security.

We’re seeing another uptick in WordPress compromises, using a slightly different modus operandi than the EITest campaign we recently blogged about, being responsible for a large number of infections via the Angler exploit kit.

The attack consists of a malicious script injected within compromised WordPress sites that launches another URL whose final purpose is to load the Angler exploit kit. Site owners that have been affected should keep in mind that those injected scripts/URLs will vary over time, although they are all using the same pattern (see IOCs below for some examples).

The website of popular magazine Reader’s Digest is one of the victims of this campaign and people who have visited the portal recently should make sure they have not been infected. The payload we observed at the time of capture was Bedep which loaded Necurs a backdoor Trojan, but that of course can change from day to day.

rd
Technical details:

Fiddler traffic overview:

Fiddler_rd

We contacted Reader’s Digest several days ago to report the issue but have not heard back. At the time of writing, the site is still delivering malware. We hope that by making this public we will raise awareness and prevent unnecessary infections.

Infected machine performing ad fraud (via injected notepad.exe process):

adfraud

Malwarebytes Anti-Malware scan, post infection:

MBAM
IOCs:

Redirectors (non exhaustive list):

api.reyval.com.mx/js/script.js
bit.modish-it.com.au/js/script.js
cd.brutheninnhotel.com.au/js/script.js
cert.dotila.com.mx/js/script.js
com.studiobeleza.com.br/js/script.js
id.delyco.com.my/js/script.js
jit.otesko.com.ve/js/script.js
jump.kalinenobre.com.br/js/script.js
kip.interhoster.com.ve/js/script.js
lara.fotografofamoso.com.br/js/script.js
old.losacco.com.ve/js/script.js
or.buyautos.com.br/js/script.js
pid.alexandrepioto.com.br/js/script.js
qt.solutionlabs.com.ar/js/script.js
sed.puntooffices.com.br/js/script.js
tip.keeprunning.com.br/js/script.js
tip.ligacaucetera.com.ar/js/script.js
top.bpsah.com.np/js/script.js
usa.littlecitystudio.com.au/js/script.js
use.ecoterm.com.ar/js/script.js
us.grupopedregal.com.ar/js/script.js
vid.mercofriosrl.com.ar/js/script.js
vid.tedxriocuarto.com.ar/js/script.js
web.brutheninnhotel.com.au/js/script.js
west.nomundodapaula.com.br/js/script.js

If you use WordPress and got it from the official site, you might want to run a anti-malware program on it BEFORE installing it.

DrDave47
An orgasm is when a woman is sexually happy and she shows it. Sometimes many times. A climax is when her toes curl up so hard they cramp, her pussy grips you like a set of Craftsman lock grips, and she stuffs a pillow in her mouth to keep the people at the mall five miles away from hearing her joy!
Top
Post Reply

Return to “VNA Chatter”