November 26, 2015 | BY Jérôme Segura
https://encrypted-tbn1.gstatic.com/images?q=tbn:ANd9GcSSs55iTAGyws3iCbUOHbzbW7qJN-QBkRkqt-IlRcoM0MffoSu2
We’re seeing another uptick in WordPress compromises, using a slightly different modus operandi than the EITest campaign we recently blogged about, being responsible for a large number of infections via the Angler exploit kit.
The attack consists of a malicious script injected within compromised WordPress sites that launches another URL whose final purpose is to load the Angler exploit kit. Site owners that have been affected should keep in mind that those injected scripts/URLs will vary over time, although they are all using the same pattern (see IOCs below for some examples).
The website of popular magazine Reader’s Digest is one of the victims of this campaign and people who have visited the portal recently should make sure they have not been infected. The payload we observed at the time of capture was Bedep which loaded Necurs a backdoor Trojan, but that of course can change from day to day.
Full Article
Reader’s Digest and other WordPress Sites Compromised, Push Angler EK
Login to the community
No account yet? Create an account
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.