We are seeing dozens of WordPress sites compromised recently with the same malicious code redirecting to the Angler exploit kit.

The attack involves conditionally embedded large snippets of code at the bottom of the sites’ source page. It is important to stress this is a conditional injection because webmasters trying to identify the issue may not see it unless they browse from a fresh IP address and a particular user-agent (Internet Explorer being the most likely to get hit).

In the last few days, we saw some popular blogs being impacted, including blogs.independent.co.uk the blog for UK’s newspaper The Independent.

MBAE

WordPress compromises

The rogue code loads a Flash video file from a suspicious top-level domain name such as .ga, .tk or .ml which is used to redirect visitors to the Angler exploit kit. This is the same attack pattern we documented over a year ago (Exposing the Flash ‘EITest’ malware campaign).

independent_hack

It’s quite likely these compromises are happening through known vulnerabilities in either WordPress or one of its plugins. According to SiteCheck from web security company Sucuri, The Independent‘s blog was running an old version of WordPress (2.9.2). The latest WordPress version is 4.3.1.

This particular ‘EITest campaign’ never actually stopped and saw an increase in the last few months which has been sustained up until now.

Angler EK

Angler EK exploits Flash Player up until version 19.0.0.207, which was patched by Adobe on October 16.

Fiddler

Malwarebytes Anti-Exploit blocks this attack thanks to its proactive exploit mitigation. Unprotected users would have been infected with the Tinba banking Trojan.

We informed The Independent about this compromise but have not heard back from them. If you are a site owner, remember to always keep your website and its CMS up to date. It’s also important to use proper passwords and harden the infrastructure as much as you can to reduce the surface of attack.

If your WordPress site has been affected, keep in mind that the malicious injected code is just part of the symptoms from having your site hacked. It’s important to identify backdoors, .htaccess modifications as well as the original entry point, by looking at your access and error logs.

IOCs:

  • Regex to find embedded redirection URLs: \.php\?(s|)id\=[A-Z0-9]{50}
  • Flash redirector (.tk domains): 1168ccce0808ee8214dbccb080772ea4
  • Flash exploit (Angler): eed1e7fb49a23c9845015796f1b17449
  • Malware: 31fe96da59ca2b57deaa81d113aba2d2