More than 6,000 websites built on content management systems such as WordPress, Joomla and Datalife Engine were compromised in a new brute-force attack campaign, according to a researcher at Arbor Networks.

A botnet called Fort Disco, currently made up of 25,000 Windows machines, is responsible for the attacks and remains active, according to researcher Matt Bing. An attack tool found on almost 800 of the compromised websites is a variant of the FilesMan PHP backdoor that allows the botmaster to view and edit files, download content and execute new commands. Researchers also found a PHP-based redirector on a relatively small number of sites that sends victims to sites hosting the Styx exploit kit.

The strategy at play with Fort Disco is similar to that of the Brobot attacks responsible for numerous denial of service attacks against major U.S. financial institutions late last year and earlier this year. Brobot targeted vulnerabilities in content management systems, but this new campaign targets weak passwords to gain control of systems. The PHP shell uploaded to compromised sites can also enable an attacker to use commands to tens of thousands of bots quickly.

Bing said researchers at Arbor were able to gain such detailed insight into a fairly young campaign because of a misconfiguration on the attackers’ part, leaving logs exposed on several of the six command and control servers Arbor discovered, all of them hosted in either Russia or the Ukraine.

“We stumbled upon these detailed logs the attacker left open on some of the command and control servers,” Bing said. “We were able to piece together enough of the picture.”

Bing said the campaign began in May; Arbor has been watching it for about a month. The botnet spreads malware to Windows machines, a little more than 25,000 so far. Once on a computer, the malware checks in with a command and control server and receives a list of content management system sites to try to infect, along with a list of common username-password combinations. These are generally default combinations with password options including admin or 123456 or some combination thereof.

In most cases, the botmaster then uploads the PHP backdoor which enables him to send in additional payloads.

“We were only able to find a couple of cases where he installed the Styx malware exploit kit,” Bing said. “These are brute-force attacks with common usernames and passwords—really low-hanging fruit. Attackers are realizing too that these content management systems are just as easily exploited. The real risk is that a lot of these sites are hosted on big data centers with lots of bandwidth. You could easily turn this into a DDoS bot.”

While there’s no evidence this is related to Brobot or the bank DDoS attacks, some of the fingerprints are similar. And like the bank attacks, Fort Disco attacks have dwindled since a period of peak activity in May and June, shortly after antimalware signatures were distributed for the Windows malware, Bing said.

Bing added that the authors are likely Russian given that the C&Cs were found on Russian and Ukrainian IP addresses, the default characters are in Cyrillic, and some error strings within the malware were written in Russian. The victims, however, were largely in Peru, the Philippines and Mexico; the U.S. and Europe were not nearly as affected.

“Based on what we could tell, it looked like one of those things where the attacker tried to entice users to run the executable through a social engineering campaign targeted at Russians,” Bing said, adding that he found two examples including an executable referring to the Michael Lewis book “The Big Short: Inside the Doomsday Machine” as well as a another filename referring to a crack for the ProxyCap program.

Categories: Malware