TeslaCrypt ransomware campaign started this month and now it’s spreading out fast. According to the security experts, the phishing emails have already extended from WordPress to some corrupted Joomla websites.
The security researcher Brad Duncan found out a new kink in the campaign’s mode of operation after he discovered Joomla sites that exhibited the same signs of infection as first spotted by Sucuri researchers at the beginning of February.
Originally, the ransomware campaign attracted Sucuri’s attention after cyber criminals were accessing WordPres websites through unknown methods and altering their source code.
The websites would show a hidden iframe, which would load malicious code, redirecting users to a Web page hosting the Nuclear exploit kit. Shortly after Sucuri published its discovery, security experts from Heimdal Security reported that it was namely TeslaCrypt ransomware that the exploit kit was delivering.
It looks like the issue have escalated lately, and Mr. Duncan now claims that the hackers behind this campaign have found a way to breach Joomla websites, and inject their malicious iframe in the JavaScript files.
Also, Mr. Duncan says that while in the beginning webmasters would have been able to spot the malicious code thanks to the “admedia” term used in its URL, this has now changed to “megaadvertize.”
The other change in the ransomware campaign is the fact that the criminals dropped the Nuclear exploit kit and started using the Angler variant instead.
In addition, Mr. Duncan pointed out something that was rather strange, even if not related to the campaign in any way.
“So far, I’ve only seen TeslaCrypt from this admedia campaign. In fact, I’ve seen a whole lot of TeslaCrypt lately, with little other ransomware from EK traffic.”
“For example, I last saw CryptoWall on 2016-02-05. Since then, I haven’t noticed any CryptoWall.”
