Campaign Targeting WordPress

In the past week, a massive campaign targeting WordPress-based websites has been reported by several security vendors, including Sucuri and Malwarebytes. In the previous iteration, unsuspecting victims were redirected to domains hosting ads which, if clicked, sent them to the Nuclear Exploit Kit landing page. Check Point security analysts have recently observed a change in the process – victims are now sent to the notorious Angler Exploit Kit landing page.

An obfuscated malicious script is appended to the end of the infected websites’ JS files. When the user’s browser loads the page, the script redirects to a gate controlled by the malicious actor.

This is the obfuscated script; everything after the comment is injected into the original script:

After two layers of obfuscation, we can see an iframe that redirects the victim to the actor’s gate:

The gate then responds with another script which examines the user’s browser. It then writes and submits a form object to the page, generating a POST request.

The POST response contains the following script, which redirects users to the Angler Exploit Kit Landing Page

The payload can vary at the threat actor’s discretion. In this particular instance, the payload used is the TeslaCrypt ransomware. At present, not many security vendors are familiar with this component of the ransomware, as its VirusTotal detection is relatively low.

Check point software blades provide protection against all stages of the infection chain:

Anti-Virus and Anti-Bot Blades provide protection against all known variants of the TeslaCrypt (Trojan-Ransom.Win32.TeslaCrypt; Operator.Teslacrypt)
IPS Blade provides protection against all known variants of the Angler Exploit Kit (Angler Exploit Kit Redirection; Angler Exploit Kit Landing Page; Angler Exploit Kit Landing Page URL; Angler Exploit Kit Landing Page Patterns)

Indicators of compromise:

a8f71638d511d60c7bf8c3de1f7951d7 – Payload MD5
krasnayadama[.]info – Gate Domain
emilyg[.]info – Angler Exploit Kit domain

See how use cases come to life through Check Point's customer stories.

See how use cases come to life through Check Point's customer stories.

See how use cases come to life through Check Point's customer stories.

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

AI-Powered Threat Prevention

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Learn hackers inside secrets and beat them at their own game

Check Point is 100% Channel. Grow Your Business with Us!

See how use cases come to life through Check Point's customer stories.

Campaign Targeting WordPress: Users being Redirected to Angler Exploit Kit

You may also like

Shifting Attack Landscapes and Sectors in Q1 2024 with a 28% increase in cyber attacks globally

Not So Private After All: How Dating Apps Can Reveal Your Exact Location

Agent Tesla Targeting United States & Australia: Revealing the Attackers’ Identities

Beyond Imagining – How AI is actively used in election campaigns around the world