However, some campaigns seem to be more severe than others, and so is this one. Hacked corporate websites and news blogs running on WordPress are currently being exploited by attackers in their attempt to deliver backdoor malware.
This type of malware opens up the door to further malicious payloads, including information stealers, various Trojans, and keylogging software. To carry out these attacks, the threat actors are using fake Chrome updates.
Hacked WordPress Sites – a March 2020 Malicious Campaign
Instead of getting an update, the potential victims could download malicious installers that give control over their computers through a TeamViewer installation. Once TeamViewer is installed onto the compromised system, two password-protected SFX archives loaded with malicious files will be unarchived. These contain the necessary files to open the fake update page and enable remote connections. A specific script to bypass Windows built-in protections is also activated.
What malware is downloaded onto compromised systems?
- The X-Key Keylogger;
- The Predator and The Thief information stealers;
- A Trojan for remote control over the RDP protocol.
Who is behind these campaigns?
Security researchers at Dr. Web believe that these are the same threat actors that were previously involved in spreading a fake installer of a popular VSDC video editor via its official website and the CNET download platform.
A previous malicious campaign, uncovered in August 2019, leveraged WordPress plugins to hack into websites. A series of popular WordPress plugins were found to contain a security weakness, thus allowing hackers to take over control of targeted sites to infect them with malware.
The list of exploited WordPress plugins included Simple 301 Redirects – Addon – Bulk Uploader and others developed by NicDark. To avoid any such campaigns, WordPress site owners should sustain a strict update hygiene where everything is kept timely upgraded and in order, WordPress itself as well as any additionally installed software.