Large Number of WordPress Hacks Silently Delivering Ransomware to Visitors

Mys­te­ri­ous­ly, a large num­ber of sites run­ning on Word­Press have been hacked caus­ing them to deliv­er  cryt­po-ran­somware and oth­er mali­cious soft­ware, to vis­i­tors. Until last week, web secu­ri­ty ser­vices were unaware of this mas­sive lapse in secu­ri­ty.

Three sep­a­rate secu­ri­ty firms have since come for­ward to report that vis­i­tors of a mas­sive num­ber of legit­i­mate Word­Press sites are being silent­ly redi­rect­ed to mali­cious sites, which host code from the Nuclear exploit kit.

Users with out­dat­ed ver­sions of Adobe Flash Play­er, Adobe Read­er, Microsoft Sil­verlight, or Inter­net Explor­er are high­ly sus­cep­ti­ble to get­ting infect­ed with Tes­lacrypt ran­somware pack­age. The ran­somware encrypts files on the com­put­er with a decryp­tion key which can only be availed at a hefty ran­som to restore user files.

“Word­Press sites are inject­ed with huge blurbs of rogue code that per­form a silent redi­rec­tion to domains appear­ing to be host­ing ads,” Mal­ware­bytes Senior Secu­ri­ty Researcher Jérôme Segu­ra wrote in a blog post pub­lished Wednes­day. “This is a dis­trac­tion (and fraud) as the ad is stuffed with more code that sends vis­i­tors to the Nuclear Exploit Kit.”

Researchers at Heim­dal Secu­ri­ty Soft­ware wrote in a blog post: “The cam­paign makes use of sev­er­al domains to deliv­er the mali­cious code, which is why active servers can quick­ly change depend­ing on which IP as DNS lookup they use.” Hack­ers are exploit­ing an uniden­ti­fied vul­ner­a­bil­i­ty with obfus­cat­ed JavaScript which redi­rects traf­fic to a domain called chren­ovuihren. An online ad pops up on the site which forces traf­fic to the site host­ing the Nuclear exploit kit.

“This past week­end we reg­is­tered a spike in Word­Press infec­tions where hack­ers inject­ed encrypt­ed code at the end of all legit­i­mate .js files.” Web­site secu­ri­ty firm Sucuri, said in a state­ment in a blog post, Mon­day. “This mal­ware uploads mul­ti­ple back­doors into var­i­ous loca­tions on the web­serv­er and fre­quent­ly updates the inject­ed code. This is why many web­mas­ters are expe­ri­enc­ing con­stant rein­fec­tions post-cleanup of their .jsfiles.”