WordPress Compromises Behind Spike in Neutrino EK Traffic

A rash of compromised WordPress websites is behind this week’s surge in Neutrino Exploit Kit traffic

Unsurprisingly, a rash of compromised WordPress websites is behind this week’s surge in Neutrino Exploit Kit traffic, researchers at Zscaler said.

In a report published yesterday, Zscaler said it spotted attacks against sites running older versions of the content management system, 4.2 and earlier. Those sites are backdoored and redirect a victim’s browser through iframes to a landing page hosting the exploit kit where a Flash exploit awaits.

The exploits generally target Internet Explorer, Zscaler said, and victims’ computers are eventually infected with CryptoWall 3.0 ransomware.

This analysis is in line with a similar report from the SANS Institute, which pointed the finger at a particular cybercrime group that had steered away from using the prolific Angler Exploit Kit and moved operations to Neutrino.

Researchers at both outfits said the primary IP address for the Neutrino landing page is 185[.]44[.]105[.]7, registered to a “Max Vlapet” in Moscow.

Zscaler said that it has spotted more than 2,600 unique sites running WordPress involved in the current Neutrino spike, serving up more than 4,000 infected pages.

“The goal of this campaign is to completely and fully compromise the site, which includes adding a webshell, harvesting credentials, and finally injecting an iframe that loads a Neutrino landing page,” Zscaler researchers John Mancuso and Deepen Desai wrote. “The iframe is injected into the compromised site immediately after the BODY tag, and is almost identical to recent Angler samples.”

Users who are not running IE are not served the iframe, Zscaler said, adding that cookies prevent the same user from being served the same iframe over and over.

Zscaler shares its analysis of the Flash exploit in Neutrino and points out that as of yesterday, detection for it among security companies was “poor.” The payload is CryptoWall 3.0, the latest version of the virulent ransomware that has this summer almost exclusively been spreading from exploit kits, Angler in particular. Some spam campaigns earlier this summer were also pushing CryptoWall.

Like other ransomware families, Cryptowall 3.0 encrypts files stored on a compromised computer and demands a ransom, usually $500 payable in Bitcoin, in exchange for the encryption key. The malware uses numerous channels to communicate and send stolen traffic to its keepers, including I2P and Tor anonymity networks.

As for Neutrino, it’s apparently on the rise among the ranks of exploit kits. Angler remains the most dangerous because its keepers quickly integrate exploits for newly reported zero days, and this recent spike of Neutrino traffic could be linked to a number of reasons: perhaps this actor was banned from purchasing Angler; a steep pricing change; or this could merely be a test run using Neutrino.

“If this change indicates a trend, we might see a large amount of compromised websites pointing to Neutrino EK, along with a corresponding drop in Angler EK traffic,” wrote SANS ISC handler and Rackspace security engineer Brad Duncan. “However, criminal groups using these EKs have quickly changed tactics in the past, and the situation may change by the time you read this.”

In the meantime, WordPress remains a soft spot for hackers. More often than not, attackers find and exploit vulnerabilities in plugins and extensions for the CMS, but there have been occasions where the WordPress core engine has been attacked.

“WordPress compromises are not new, but this campaign shows an interesting underground nexus starting with backdoored WordPress sites, a Neutrino Exploit Kit-controlled server, and the highly effective CryptoWall ransomware,” Zscaler said. “This campaign also reconfirms that Neutrino Exploit Kit activity is on the rise and is still a major player in the exploit kit arena.”

Suggested articles

Discussion

  • SecureNut on

    How can you tell if your WP site has been compromised?
  • Matt Hunt on

    So...any protocols on checking to see if a site has been compromised? Or is this just "update and pray"? This wasn't an "older version", 4.2 was the current version just a few days ago. I've upgraded but and out in the wind as to checking if I'm compromised.
    • Rob on

      I'd imagine that "older version' denotes 4.2 w/o the subsequent security releases up to and including 4.2.4

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.