Researchers have seen an uptick in Adobe Flash .SWF files being used to trigger malicious iFrames across websites.
Several hundred WordPress and Joomla websites have been swept up in the campaign, first observed by researchers at the firm Sucuri last November.
“Though it’s uncertain how many iterations existed in the wild when we first reported the issue, this time we’ve found a lot of websites where the infection looks similar,” Peter Gramantik, a senior malware researcher at the firm wrote Thursday.
According to Gramantik the infection is clearly marked by a .SWF file with three random characters as a name that’s stored in a site’s images/banners/ folder. As far as the firm has seen, each file has a random hashed ID parameter attached to the end of it.
While the malware’s variable names, coding logic, and UserAgent remain the same, one of the main differences from last November’s version of the campaign and this one is that this incarnation has spread to from Joomla sites to WordPress sites. As is to be expected, the website delivering the malicious payload has changed as well.
The .SWF files, also known as small web format files, inject an invisible iFrame, which can go on to drop other exploits.