TeslaCrypt Currently Spread via Compromised WordPress Pages and Nuclear EK

Just a few days ago, Sucuri researchers discovered a new malicious campaign aimed at vulnerable WordPress websites. Attackers were infecting the websites’ JavaScript files with snippets of malicious code. During these attacks, a certain piece of malware was distributed with the assistance of the infamous Neutrino exploit kit – Backdoor.Andromeda.

Unfortunately, this malicious campaign is not over, as researchers from Heimdal Security are currently investigating cases of compromised WordPress sites, this time spreading the TeslaCrypt ransomware. As of the ransomware’s version being spread, it is a rare one with a quite low detection rate. A piece of the ransomware has been uploaded on VirusTotal, and only 2 out of 56 antivirus vendors have detected it.

According to Heimdal’s report, more than 85 domains spreading TeslaCrypt have been blocked. Unfortunately, researchers expect the number of affected websites to grow in the upcoming days.

How is the attack carried out?

The attackers fed obfuscated Javascript code to these websites. The users who end up on the hacked websites are redirected on a domain called “chrenovuihren” via multiple servers.

The exploit kit used in the attack scenario is Nuclear EK, known to be available via the exploit-kit-as-a-service model. Nuclear is a sophisticated exploit kit that can exploit a range of vulnerabilities in:

• Adobe Flash Player;
• Adobe Reader and Acrobat;
• Internet Explorer;
• Microsoft Silverlight.

Learn More about Silverlight Vulnerabilities

The worst part is that hundreds of servers that host websites based on WordPress are compromised. In addition, if other domains are hosted on the same compromised server, they will be infected as well. Any attempts to sanitize such a website are deemed unsuccessful, as the other websites will re-infect it almost immediately.

We are currently witnessing an increased number of TeslaCrypt attacks. Users are contacting our ream saying that their files have been locked and a .micro extension has been appended to them. We cannot confirm that this particular malicious campaign involving WordPress and Nuclear EK is spreading the ‘.micro‘ version of TeslaCrypt, but it’s quite likely to be the case.

Learn More about TeslaCrypt ‘.micro’ Ransomware

How to avoid becoming a victim of a malicious attack?

Here are some pretty good security tips that you should follow closely in your daily online routines.

• Make sure to use additional firewall protection. Downloading a second firewall (like ZoneAlarm, for example) is an excellent solution for any potential intrusions.
• Make sure that your programs have less administrative power over what they read and write on your computer. Make them prompt you admin access before starting.
• Use stronger passwords. Stronger passwords (preferably ones that are not words) are harder to crack by several methods, including brute forcing since it includes pass lists with relevant words.
• Turn off AutoPlay. This protects your computer from malicious executable files on USB sticks or other external memory carriers that are immediately inserted into it.
• Disable File Sharing – it is recommended if you need file sharing between your computer to password protect it to restrict the threat only to yourself if infected.
• Switch off any remote services – this can be devastating for business networks since it can cause a lot of damage on a massive scale.
• If you see a service or a process that is external and not Windows critical that is seemingly being exploited, disable it until there is an update that fixes the exploit.
• Make sure always to apply the critical security patches for your software and OS.
• Configure your mail server to block out and delete suspicious file attachment containing emails.
• If you have a compromised computer in your network, make sure to isolate immediately it by powering it off and disconnecting it by hand from the network.
• Make sure to educate all of the users on the network never to open suspicious file attachments, show them examples.
• Turn off any non-needed wireless services, like Infrared ports or Bluetooth – hackers love to use them to exploit devices. In case you use Bluetooth, make sure that you monitor all of the unauthorized devices that prompt you to pair with them and decline and investigate any suspicious ones.
• Employ a powerful anti-malware solution to protect yourself from any future threats automatically.

Anti-spam security tips

Spam email campaigns are often employed in attack scenarios. Here’s how to increase your security against spam:

• Employ anti-spam software, spam filters, aimed at examining incoming email. Such software serves to isolate spam from regular emails. Spam filters are designed to identify and detect spam, and prevent it from ever reaching your inbox. Make sure to add a spam filter to your email. Gmail users can refer to Google’s support page.
• Don’t reply to dubious email messages and never interact with their content. Even an ‘unsubscribe’ link within the message body can turn out to be suspicious. If you respond to such a message, you will just send a confirmation of your own email address to cyber crooks.
• Create a secondary email address to use whenever you need to register for a web service or sign up for something. Giving away your true email address on random websites is never a good idea.
• Your email name should be tough to crack. Research indicates that email addresses with numbers, letters and underscores are tougher to crack and generally get less spam emails.
• View your emails in plain text, and there’s a good reason why. Spam that is written in HTML may have code designed to redirect you to unwanted pages (e.g. advertising). Also, images within the email body can be used to ‘phone home’ spammers because they can use them to locate active emails for future spam campaigns. Thus, viewing emails in plain text appears to be the better option. To do so, navigate to your email’s main menu, go to Preferences and select the option to read emails in plain text.
• Avoid posting your email address or a link to it on web pages. Spam bots and web spiders can locate email addresses. Thus, if you need to leave your email address, do it as it follows: NAME [at] MAIL [dot] com or something similar. You can also look for a contact form on the website – filling out that form shouldn’t reveal your email address or your identity.

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me: