Thousands of compromised WordPress, Joomla and SquareSpace-based sites are actively pushing malware disguised as Firefox, Chrome and Flash Player updates to visitors.
Keeping the effort on the down-low
The malware peddlers are using a variety of techniques to keep their efforts less conspicuous:
- They obfuscate the malicious scripts and links to the malware in order to make static analysis very difficult and to hide some crucial fingerprinting that is designed to evade virtual machines and sandboxes.
- The delivered malware – Chtonic banking malware or the NetSupport Remote Access Tool – is digitally signed and uses various evasion techniques to defeat sandboxes.
- The malicious scripts redirect visitors to template download pages depending on the system and browser they use, and they do it only once per IP address to minimize the possibility of regular visitors getting suspicious.
- The decoy pages are hosted on compromised hosts via sub-domains using URIs with very short life spans.
“This campaign relies on a delivery mechanism that leverages social engineering and abuses a legitimate file hosting service. The ‘bait’ file consists of a script rather than a malicious executable, giving the attackers the flexibility to develop interesting obfuscation and fingerprinting techniques,” malware analyst Jérôme Segura explained.
“Compromised websites were abused to not only redirect users but also to host the fake updates scheme, making their owners unwitting participants in a malware campaign.”
How widespread is the campaign?
According to Malwarebytes’ estimates, thousands or WordPress and Joomla sites and a little over 900 SquareSpace sites have been injected with the malicious scripts.
“This campaign affects multiple Content Management Systems (CMS) in somewhat similar ways,” malware analyst Jérôme Segura noted.
“Several of the websites we checked were outdated and therefore vulnerable to malicious code injection. It is possible that attackers used the same techniques to build their inventory of compromised sites but we do not have enough information to confirm this theory.”
Website owners and administrators that use those CMSes woud do well to check whether their sites have been compromised and to clean them if they have, then update the CMS and any plugins they use to their latest versions – and keep them regularly updated. Also, they should review their authentication procedure and do what they can to make it more resilient to compromise (e.g., not use passwords that are easy to guess or brute-force).
Internet users should generally avoid downloading and installing software updates that they did not request themselves.