[Update - October 9, 2015]
Multiple Drupal & Joomla sites affected..
The Spyware campaign we wrote about two weeks ago continues to be active, although the number of infected websites has gone down. We are also seeing two other popular Content Management Systems (CMS), Drupal and Joomla sites being compromised and leveraged in this campaign.
|Spyware campaign hits from last 7 days|
The Zscaler security research team started investigating multiple WordPress related security events earlier this month and came across a new widespread compromised WordPress campaign leading to the download of unwanted applications. This has been briefly covered by dynamoo
and has been reported
by some users on official WordPress forums.
During our research, we discovered that this campaign started in the first week of August, 2015 and has been fairly active since then resulting in over 20,000 security events to date from over 2,000 web pages. Majority of the WordPress sites affected by this campaign are running latest version 4.3.1 but the compromise could have occurred prior to the update.
|Figure 1: August 2015 WordPress Campaign hits|
|Figure 2: September 2015 WordPress Campaign hits|
Although the target domains varied across the transactions that we saw, the associated server IP address has remained the same.
Target domains seen
The IP Address 18.104.22.168 associated with these domains is hosted in Latvia through a VPS hosting provider.
|Figure 5: User system information gathering script|
|Figure 6: Function to check the presence of Flash Plugin and version information|
The collected information is relayed back to the same server via a HTTP GET request. This is followed by a series of redirects leading to download of spyware or potentially unwanted applications (PUA) masquerading as legitimate applications.
|Figure 7: Redirects from Latvia VPS server leading to PUA download|
Fake Flash Player - Win32.InstallCore
In one of the cases, we observed the user is prompted to update the Flash Player as seen below:
|Figure 8: Out of date Flash Player warning|
The page prompts the user to update or install a new flash player update. Regardless of the option the user selects, a fake Adobe Flash Player application is downloaded.
FileName : Adobe Flash Player.exe
MD5 : fa75abf137224fc2c60b9b3c35c80a5e
This file is a .NET Compiled executable which downloads and executes another setup file named FlashSetup.exe.
FileName : Flash Setup.exe
|Figure 9: Fake Flash Player download|
The downloaded file flashsetup.exe is a variant of Potentially Unwanted Application Win32.InstallCore
. During the installation of the Adobe Flash Player, several other websites offering other unwanted scareware applications are displayed. One such case where the spyware installer prompts the user to download and install Windows 7 PC Repair tool is shown below:
|Figure 8: Scareware Windows 7 Repair utility|
|Figure 9: Download from third party sites & adware traffic from PUA|
Once the spyware installation is complete, the user is redirected to the legitimate Adobe page indicating that the installation was not successful prompting the user to start over. If the user chooses to start over the installation, Adobe Flash Player will be installed from the genuine Adobe site.
|Figure 10: User redirected to legitimate Adobe Flash Player|
Fake MediaDownloader update - Win32.DownloadAssistant
In another case, the webpage prompts the user with a fake MediaDownloader software update which is a variant of PUA Win32.DownloadAssistant.
|Figure 11: Fake MediaDownloader Update|
The end result is same where a potentially unwanted application is downloaded and installed on the victim machine. These applications have the capability to download additional malicious or unwanted applications.
We also saw instances of fake web browser plugins being downloaded and installed. Below is an example of a Google Chrome Plugin - NewTabTV plus.
|Figure 12: Fake Google Chrome Plugin download|
The compromised sites involved in this campaign are distributed worldwide and not limited to one particular region.
|Figure 13: Geo distribution of the compromised WordPress sites - September 2015|
WordPress, being one of the most popular Content Management Systems & Blogging platform, remains an attractive target for cybercriminals. Unlike previous campaigns involving Malware Authors
and Exploit Kit operators
, the end payload getting served in this campaign involves spyware and potentially unwanted applications. These applications may seem innocuous but can facilitate malvertising based attacks through unsolicited advertisements.
Zscaler ThreatLabZ is actively monitoring this campaign and ensuring that Zscaler customers are protected.
Analysis by Jithin Nair
and Sameer Patil