A new malware campaign has been discovered leveraging an increasing number of legitimate but compromised websites. The malicious operation has been built on social engineering tricks where users are prompted with fake but authentic update notifications, researchers reported.
Fake Update Technique Successfully Tricks Users
The earliest accounts of this campaign are from December last year when BroadAnalysis analyzed a script downloaded from DropBox.
The current campaign is affecting several Content Management Systems such as WordPress and Joomla. According to security researcher Jérôme Segura, several of the affected websites were out-of-date and were prone to malicious code injection. The researcher believes that the attackers used this technique to develop an inventory of compromised sites. However, this theory is yet to be confirmed.
WordPress and Joomla websites were both hacked using injection inside their systems’ JavaScript files. Some of the injected files have the jquery.js and caption.js libraries where code is usually appended and can be recognized by comparing it with a clean copy of the same file.
Using a specially designed crawler, researchers were able to locate a number of compromised WordPress and Joomla websites. Even though there isn’t an exact number of the infected websites, it is most likely in the thousands.
Besides Joomla and WordPress, another content management system was also affected – Squarespace. A Squarespace user has reported that he was redirected to a full page saying that “your version of chrome needs updating”.
How is the infection carried out? The affected CMS websites were found to trigger redirection URLs with similar patterns, ending with the loading of the particular fake update. Researchers say that there are different URLs for each affected CMS.
What fake updates have been used? Fraudulent browser updates are meant for the Chrome and Firefox browsers, and Internet Explorer has been targeting via a fake Flash Player update.
What is the payload of the malicious campaign?
Researchers were able to determine that one of the payloads dropped is the Chtonic banking malware, a variant of ZeusVM. Another one is the NetSupport RAT.
This is not the first campaign abusing unpatched, hence vulnerable CMS-based websites. CMS vulnerabilities are a common factor in many of the successful malware attacks. For instance, in 2016 researchers found that a huge number of corporations were running on outdated versions of Drupal and WordPress.