Pierluigi Paganini February 22, 2016

Operators running websites based on the WordPress and Joomla must be aware of a spike in the number of compromised platforms used in Admedia attacks.

Not only WordPress CMS, threat actors behind the “Admedia attacks” are now looking with increasing interest to Joomla. This is the discovery made by the experts at the Internet Storm Center (ISC) that discovered the presence of the bad actors responsible of the Admedia attacks, behind a hacking campaign that targeted Joomla-hosted sites.

Early February, experts at Sucuri reported a spike in compromised WordPress sites generating hidden iframes with malicious URLs referencing domain hosting exploit kit.  The researchers at Sucuri observed the use of the string “admedia” in most URLs generated by the iframes.

“These “admedia” URLs act as a gate between the compromised website and the EK server.  EK traffic associated with this campaign has generally sent TeslaCrypt ransomware.  However, characteristics of this campaign have evolved since Sucuri’s original blog post.” states an analysis published by the Internet Storm Center (ISC).

The campaign is evolving, on Wednesday 2016-02-17 Brad Duncan, security researcher at Rackspace, discovered the new attack chain. The attacks started with a compromised website that generated an admedia gate, which led to Angler EK that is used to serve TeslaCrypt to vulnerable machines. The experts also highlighted that crooks behind the admedia attacks that initially relied on Nuclear exploit kit on compromised sites, now added the Angler exploit kit.

The analysis of the traffic generated by the malware allowed the ISC to identify the following components:

• 178.62.122.211 – img.belayamorda.info – admedia gate
• 185.46.11.113 – ssd.summerspellman.com – Angler EK
• 192.185.39.64 – clothdiapersexpert.com – TeslaCrypt callback traffic

The attackers compromised website generate the admedia gate by injecting malicious scripts.

“As the Sucuri blog already reported, each .js file returned by the compromised site had malicious script appended to it.  In a case on 2016-02-15, I also saw the same type of script included in an HTML page from the compromised website; however, today’s traffic only shows injected script in the .js files.” Duncan wrote.

The above image demonstrates that attackers have started using “megaadvertize” in their gateway URLs, instead of “admedia.”

Stay tuned …

Pierluigi Paganini

(Security Affairs – Admedia attacks, Nuclear Exploit Kit)