Hacked WordPress Sites Serve Teslacrypt Ransomware

During the past week, the security experts have reported an increase in TeslaCrypt ransomeware. According to the researchers, the latest peak has been influenced by the WordPress content management system (CMS).

Ars Technica reported that the attack redirects visitors from original websites to malicious ones. The malicious websites host code from the Nuclear exploit kit (EK), and the WordPress sites are injected with large amounts of code that perform a silent redirection to domains displaying host adverts. Nevertheless, this is just a diversion: These advertisements are stuffed with more code that sends visitors to the true destination, the Nuclear Exploit Kit.

In case the users have out-of-date, unpatched versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight or Internet Explorer, their computers are certainly at risk of an infection by the TeslaCrypt ransomware. If they got infected, the malware will encrypt users’ files and will ask them to pay ransom for the decryption key.

According to a security company, there were some distinguishing features of TeslaCrypt, including the fact that it had 32 hex-digit strings at the beginning and end of the code. So, once the code has been decrypted it always looks the same. A very interesting fact here is the one that this malware only infects first-time visitors to the infected website. It look like TeslaCrypt may exhibit this sort of behavior in order to throw off security researchers, while Sucuri made sure to mention the invisible iframes installed as part of this process.

The URLs of the invisible iframe all use third-level domains and have “Admedia” or “advertizing” in the path. The malicious domains and sub-domains point to servers on Digital Ocean’s network:

  • 46.101.84.214
  • 178.62.37.217
  • 178.62.37.131
  • 178.62.90.65

Also, TeslaCrypt is capable of uploading multiple backdoors into various locations on the affected Web server and frequently updates the injected code. In other words, the malware reinfects all the JavaScript files it can access using cross-site contamination as the method.
This means that a webmaster should sanitize all the websites on the server at the same time, not just the obviously affected ones, in order to permanently remove the infection.

In any case, what users and website owners should keep in mind is that they have to use unique passwords and the latest versions of patched products until the TeslaCrypt issue is resolved.

Leave a Comment

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.