Compromised Joomla sites are foisting ransomware on visitors

Administrators of WP and Joomla sites would do well to check for specific fake analytics code injected into their properties, as a ransomware delivery campaign taking advantage of vulnerable sites has been going strong for over a month now.

Sucuri researchers began warning about the “Realstatistics” malware campaign two weeks ago, and dated it back to June 6 (at least).

The name of the campaign was derived from the name of the domains used by the attackers to host the exploit kit: first realstatistics.info, then realstatistics.pro.

The first one has already been taken down, and the latter is currently being flagged as a malware site by Google Safe Browsing. There can be no doubt that the attackers will soon change it to a third one.

Although many of the already compromised sites are running on out of date Joomla! and WordPress installations, Sucuri researchers believe that the attackers are exploiting vulnerabilities in plugins and extensions.

“When a CMS is out of date, it speaks volumes to the administration/maintenance strategies a website is employing. If a website owner is unable to keep their core up to date, we can confidently say that they are likely not keeping the extensible components up to date. And we know from our previous research that the leading vector in most CMS applications comes from third-party integrations like plugins and extensions,” Sucuri CTO Daniel Cid noted.

The company’s researchers recently pinpointed a new attack vector and exploitation process used in this campaign to compromise Joomla sites.

The attackers are exploiting CVE-2015-8562, a RCE flaw that has been heavily exploited and patched late last year.

“The new variation we discovered is using a new vector with the filter-search option which hasn’t yet been disclosed. This results in a far higher success rate, and has a lot to do with why the Realstatistics malware campaign is successful in compromising a high number of sites in such a short period of time,” Cid pointed out.

The vulnerability is being exploited to set up a backdoor into the vulnerable installation, and then the backdoor is later used to inject the fake analytics code into the site.

“This infection is only impacting unpatched Joomla sites, so make sure that your Joomla sites are up-to-date. This is a new attack vector on an old vulnerability, so if you can’t patch, you should be sure your website firewall is virtually patching this new variation,” Cid advised.

“We recommend checking your logs for requests from 46 .183 .219 .91 – if you find requests similar to the ones in this post, consider your website compromised. At this point you should take steps to remove the malware immediately and prevent reinfection.”