Content Management Systems (CMSes) such as WordPress, Drupal, or Joomla are under a constant barrage of fire. Earlier this year, we detailed several waves of attacks against Drupal, also known as Drupalgeddon, pushing browser-based miners and various social engineering threats.
During the past few days, our crawlers have been catching a larger-than-usual number of WordPress sites being hijacked. One of the most visible client-side payloads we see are redirections to tech support scam pages. Digging deeper, we found that this is part of a series of attacks that have compromised thousands of WordPress sites since early September.
The sites that are affected are running the WordPress CMS and often using outdated plugins. We were not able to figure out whether this campaign was made worse by the exploitation of a single vulnerability, although the recent RCE for the Duplicator plugin came to mind. Our friends over at Sucuri believe this is a combination of multiple vectors.
The domain examhome[.]net had a recent whois change (2018-09-16) and interesting nameservers:
1a7ea920.bitcoin-dns[.]hosting a8332f3a.bitcoin-dns[.]hosting ad636824.bitcoin-dns[.]hosting c358ea2d.bitcoin-dns[.]hosting
The redirection flow shows further use of encoding to load mp3menu[.]org with a whois updated on 2018-09-15 and the following nameservers:
That .TK URL pattern is well known and has been documented in detail as part of a large Traffic Distribution System (TDS) responsible for massive redirections to browlock pages. Note the custom mouse cursor (the “Evil cursor”), which we reported on recently, has yet to be patched.
Scope and mitigations
The number of WordPress sites that have been compromised is increasing in the last few days, suggesting that these are ongoing campaigns.
Website owners affected by these attacks will have to perform a thorough cleanup of injected pages, databases, and backdoors. More importantly, they will need to identify the root cause of the compromise, which often times is an outdated WordPress installation or plugin.
Malwarebytes users running our browser extension are protected against the tech support scam pages without any need for signature updates.
Indicators of compromise
188.8.131.52,examhome[.]net,Examhome Campaign (URI) 184.108.40.206,uustoughtonma[.]org,Examhome Campaign (URI) 220.127.116.11,mp3menu[.]org,Examhome Campaign (URI) 18.104.22.168,ejyoklygase[.]tk,TK TSS Browlock (URI) Injected blurb (partial): String.fromCharCode(118, 97, 114, 32, 115, 111, 109 From Sucuri Labs: ads.voipnewswire[.]net/ad.js cdn.allyouwant[.]online/main.js?t=c