14 DAY TRIAL // Three days ago, we reported on a threat advisory issued by Sucuri researchers about a malicious campaign that leveraged compromised WordPress sites to push malware (Backdoor.Andromeda) via the Neutrino Exploit Kit.
Today, researchers from Heimdal Security are reporting on the same campaign but say that they've seen it spreading a variant of the famous TeslaCrypt ransomware, a version with a very low detection rate on VirusTotal (2/56).
Heimdal Security researchers are saying they've blocked at least 85 domains used to spread the ransomware by now, but due to this campaign's specific make-up, this number is sure to go up in the following days.
What's strange about this particular attack on WordPress sites is that whenever attackers compromise the websites, they use a malware strain that automatically injects all JavaScript files with malicious code. If other domains are also hosted on the same server, they're all infected as well, and if the developer attempts to clean one website, the other websites will infect it right back soon after.
This specific trait allowed the campaign to continue and even spread, and if at first it was just pushing annoying ads, two days later, Malwarebytes observed it started redirecting users to the Nuclear Exploit Kit.
Today things seem to have taken a turn for the worse, and unless you're using an ad blocker or a security product that can detect these automatic hidden redirects, you probably won't notice anything fishy unless it's already too late.
