14 DAY TRIAL // Security researchers from Sucuri have identified a new campaign targeting WordPress websites that's injecting their JavaScript files with snippets of malicious code.
But as Sucuri explains, this code is not doing anything harmful to the user's computer, like redirecting them to an exploit kit landing page or serving malware, but only loads an iframe and shows advertisements.
All ads load with the attacker's same referral ID (Twiue123) and contain a mention of AdMedia, a popular advertising network. Sucuri has not yet managed to confirm that the injected ads actually belong to AdMedia.
The infection affects all of the sites' JavaScript files, not just one or two, and developers can easily spot them thanks to a large array of string constants in their hexadecimal representation, enclosed in two identical JavaScript comments that look like an MD5 hash.
Attacker also leaves a backdoor on all compromised sites
Sucuri's Denis Sinegubko says that the infection only affects WordPress sites, and the author of this campaign is also leaving a secret backdoor behind, which Sucuri has not yet identified.
The attacker is apparently using the backdoor to reinfect websites after they were cleaned by their respective owners.
"If you host several domains on the same hosting account all of them will be infected via a concept known as cross-site contamination," Mr. Sinegubko explains. "It’s not enough to clean just one site or all but one in such situations - an abandoned site will be the source of the reinfection."
Google has already blacklisted all the domains through which the attacker was loading their ad code. Sucuri also says that all these domains were registered by a person named Vasunya, with the email address [email protected].
The first domain dates back to December 22, 2015, and the last was registered yesterday, February 1, 2016.
UPDATE: Because we just couldn't believe this complex campaign was set up just to show some silly ads, and the Sucuri threat advisory didn't mention any malware, Softpedia contacted Sucuri to inquire more on this topic. This is what Mr. Sinegubko tweeted back two days after the initial report.
@campuscodi "Ads" are only in the URLs. It actually pushes malware. Nuclear EK according to @jeromesegura — Denis (@unmaskparasites) February 3, 2016UPDATE 2: Malwarebytes senior security researcher Jérôme Segura also chimed in later on, and even penned a blog post afterwards, saying that the exploit kit is pushing a malware strain identified as Backdoor.Andromeda.
@unmaskparasites @campuscodi fake ad, with redirection to Nuclear exploit kit: pic.twitter.com/PZcNjVMQSU — Jérôme Segura (@jeromesegura) February 3, 2016