Pierluigi Paganini April 03, 2019

Security experts at Zscaler discovered that threat actors are using hidden “well-known” directories of HTTPS sites to store and deliver malicious payloads.

Crooks are utilizing hidden “well-known” directories of HTTPS sites running WordPress and Joomla websites to store and serve malicious payloads.

Hacked websites were used for several malicious purposes, experts observed compromised WordPress and Joomla websites serving Shade/Troldesh ransomware, coin miners, backdoors, and some times were involved in phishing campaigns.

WordPress sites compromised by hackers were running versions 4.8.9 to 5.1.1 of the popular CMS that are affected by a cross-site request forgery (CSRF) flaw that resides in the comment section of WordPress that is enabled by default.

An attacker can hack a website running a vulnerable version of WordPress that has comments enabled by tricking an administrator of a target site into visiting a website set up by the attacker. 

According to the experts, the cybercriminals targeted websites running outdated CMS plugins and themes or server-side software. Compromised websites were using SSL certificates issued by Automatic Certificate Management Environment (ACME)-driven certificate authorities, such as Let’s Encrypt, GlobalSign, cPanel, and DigiCert.

“We have been monitoring the compromised HTTPS sites for a few weeks and have noticed that attackers are favoring a well-known hidden directory present on the HTTPS website for storing and distributing Shade ransomware and phishing pages.” reads the analysis from Zscaler.

“The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain.”

Threat actors abused a well-known hidden directory in the HTTPS sites for storing the malware. The directory is a URI prefix for well-known locations defined by IETF and used to demonstrate the ownership of a domain.

Administrators of HTTPS websites using ACME to manage SSL certificates place a unique token inside the folder, to show the CA that the domain is under their control. The CA scans this folder for a code that was previously sent to the administrator.

“The attackers use these locations to hide malware and phishing pages from the administrators. The tactic is effective because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site,” continues Zscaler

The following graph shows different types of threats that were distributed with this approach, the Shade ransomware was the most common one:

Compromises websites delivering the Shade/Troldesh ransomware, included three types of files, namely HTML, ZIP, and EXE files masquerading as .jpg images.

HTML files are used to redirect victims to download ZIP files (
reso.zip, rolf.zip, and stroi-invest.zip) that contain the JavaScript file.
msg.jpg and msges.jpg are EXE files that are the Shade ransomware.

The variant of Shade/Troldesh ransomware involved in the attack uses a TOR client to connect to the C2 and encrypts both the content and name of targeted files.

Attackers used phishing pages related to several popular services and brands, such as Office 365, Microsoft, DHL, Dropbox, Bank of America, Yahoo, Gmail, and other brands, the security researchers say.

Further technical details are, including Indicators of Compromise, are reported in the analysis.

Pierluigi Paganini

(SecurityAffairs – HTTPs, Hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]