Researchers are reporting a surge in CryptXXX ransomware infections delivered via business websites compromised to redirect to the Neutrino Exploit Kit. Attackers are targeting websites running the Revslider slideshow plugin for WordPress, according to a report released Tuesday by Invincea.
Behind the attacks, said Pat Belcher, director of security research at Invincea, is the SoakSoak botnet, active since 2014 and known for its automated ability to scan websites for vulnerabilities.
“We are seeing a surge in these type of attacks targeting slideshow and video components on popular websites,” Belcher said.
According to Belcher the official tourism website for Guatemala, a Mexican City water supply firm’s website and other business sites are inadvertently redirecting visitors to sites that host the Neutrino Exploit Kit. Users, Belcher said, are then infected with the CryptXXX ransomware if vulnerable to attack.
“We are seeing botnets such as SoakSoak morphing and changing its typical payloads of click-fraud Trojans and password-stealing malware to ransomware,” he said.
Attackers behind the SoakSoak botnet have continued to modify their tactics and infect new groups of websites. WordPress sites have been a popular target for SoakSoak attackers who are looking to exploit WordPress users running Internet Explorer on Windows.
Thousands of WordPress websites have also become popular targets for attackers behind the exploit kits. Earlier this year the SANS Institute’s Internet Storm Center spotted exploit kits infecting thousands of WordPress and Joomla content management systems in a new campaign.
Invincea said it is monitoring attacks where SoakSoak continue to target WordPress content management sites and plugins such as Revslider. Belcher explains that successful attacks allow hackers to append Revslider scripts to redirect victims to Exploit Kits. Next, when users click on slideshows or videos they are redirected to sites hosting the Neutrino Exploit Kit.
Other types of ransomware, such as TeslaCrypte ransomware, have also targeted vulnerabilities in the WordPress and Joomla via the Nuclear Exploit Kit. But, Invincea shows just how persistent SoakSoak has been over the past several years and how pervasive the Revslider flaw is. Going back as far as 2014, Google went so far as to blacklist 100,000 sites hosted on WordPress may be vulnerable to a campaign known as SoakSoak. At the time, security experts said an older (4.1.4) version of the Revslider slideshow plugin used with WordPress authored websites was to blame. It’s unclear from Invincea’s research what version of the WordPress plugin Revslide is being targeted currently.