WordPress Infections Leading to TeslaCrypt Ransomware

A massive string of WordPress compromises are redirecting victims to the Nuclear Exploit Kit and Teslacrypt ransomware.

Website operators running sites on the WordPress platform need to be aware of a massive string of infections that as of Thursday were poorly detected by security products.

Researchers at Heimdal Security said the compromised sites redirect victims to other domains hosting the Nuclear Exploit Kit, a potent collection of exploits for vulnerable Adobe products (Flash, Reader, Acrobat), Internet Explorer and Microsoft Silverlight, that has in the past, and in this case, been dropping ransomware on infected computers.

Other versions of Nuclear EK have been dropping the dangerous Cryptowall ransonmware, as recently as late November. This campaign, Heimdal researchers said, infects computers with Teslacrypt.

Teslacrypt, like other versions of crypto-ransomware, encrypts files stored on the local hard drive and demands a ransom in exchange the encryption key. Researchers at FireEye estimated that the ransomware made more than $76,000 in a three-month span early last year, a paltry sum compared to the millions hauled in by Cryptolocker and other ransomware families. FireEye researched some of the early Teslacrypt victims, many of whom had no idea what happened to their machines and were concerned about their job security and financial well-being as a consequence of the infections. In July, a new version of Teslacrypt came with a fresh encryption scheme and other feature that mimicked Cryptowall.

Heimdal researchers said the attackers behind the current WordPress compromises—numbering in the hundreds—were exploiting an unidentified vulnerability with obfuscated JavaScript. The malicious code redirects traffic to a domain called chrenovuihren, where the users are presented an online ad that forces traffic to the site hosting Nuclear. Heimdal identified three IP addresses acting as Nuclear EK gateways: 159[.]203[.]24 [.] 40; 164[.]132[.]80 [.] 71; and
162[.]243[.]77 [.] 214.

“The campaign makes use of several domains to deliver the malicious code, which is why active servers can quickly change depending on which IP as DNS lookup they use,” Heimdal researchers wrote in a blog post. The malicious domains are subdomains of the chrenovuihren domain, Heimdal said, adding that it has already blocked more than 85 domains. Two of 66 security products on VirusTotal detect the threat as of last night.

Heimdal’s findings come less than a week after security company Sucuri announced it had uncovered a similarly large campaign. Heimdal said in its report that it believes the same group is behind both attacks, but cannot confirm that fact.

Sucuri said the infections it saw were characterized by encrypted malicious code appended to the end of all legitimate JavaScript files. These infections hit only first-time visitors to the compromised sites and sets a cookie that expires within 24 hours and injects and invisible iFrame with “Admedia” or “advertising” in the path part of the URL, Sucuri said.

In the meantime, Heimdal researchers urge WordPress operators to update the content management system as soon as possible—an update was released this week—and back up their file systems regularly. Regular backups to multiple locations are the best defense against ransomware, along with updated detections for known ransomware.

Suggested articles