Sponsored by..

Thursday 11 September 2014

Malicious WordPress injection sending to 178.62.254.78 and 176.58.100.98

There is currently some sort of injection attack against WordPress sites that is injected code into the site's .js files. Not so unusual.. except that the payload site in the file changes every half hour or so.

A sample of the code can be seen here [pastebin], it looks similar to this (click to enlarge):


The site mentioned in the IFRAME is the one that keeps changing, so presumably there is either something running on the compromised WordPress site, or there is some other mechanism for the bad guys to update the details. The URLs I have seen recently are as follows:

[donotclick]sexyunanu.inthepress.org/bububiolasa16.html
[donotclick]binoduselda.vagfans.info/stickomanus16.html
[donotclick]binoduselda.finalmasterplugin.com/ditirakis16.html
[donotclick]binoduselda.ireleaseme.com/falcoruide16.html
[donotclick]binoduselda.hyakunime.net/bibkajuleman16.html
[donotclick]binoduselda.bateriafina.org/filimanuio16.html

All these subdomains are hijacked from legitimate domains using AFRAID.ORG nameservers, and are hosted on 178.62.254.78 (Digital Ocean, Netherlands). These then pass the victim onto another domain in the format

[donotclick]piplakoras.askhartleyauto.com/3674e375m87i/1/9ffbf35e4190fbba62f70c8477fa3964.html

which is hosted on 176.58.100.98 (Linode, UK). The URL structure indicates that this might be the Nuclear Exploit Kit, although it has been hardened against analysis.

I can't detect all the sites on 178.62.254.78, but a list of the ones I have observed so far can be found here [pastebin] and those on 176.58.100.98 can be found here. But blocking the following IPs may give you better protection:

176.58.100.98
178.62.254.78

Update 2014-09-12 0830 UTC: overnight a whole set of other malicious subdomains (hijacked again from AFRAID.ORG users) were active, using the same IPs to spread malware. The domains change every 30 to 60 minutes or so.

iflaroust.trainersclub.com.br/iflitegouler16.html
iflaroust.transtornomental.com.br/giditures16.html
iflaroust.transtornos.com.br/sukerkae16.html
iflaroust.ubertom.com/bubuerleras16.html
iflaroust.vaughnnugent.com/bubudejana16.html
biblaroita.lecnet.org/bubuidaheta16.html
biblaroita.ukies60.co.uk/nunigahulaala16.html
biblaroita.farahdzila.com/bubliorefusei16.html
biblaroita.buypurestevia.net/buidadusel16.html
biblaroita.loto-365.com/digigafus16.html
biblaroita.loto-777.com/ififuleradus16.html
biblaroita.g8r.ca/iglamiuser16.html
filmagrafy.qqm59.com/laperiuds16.html
filmagrafy.mda77.com/alsominora16.html
filmagrafy.fok96.com/ditroitosmiktajeras16.html
filmagrafy.hosting15.net/fiklakerasio16.html
filmagrafy.tab73.com/bibloruserna16.html
filmagrafy.uzz58.com/sigagulet16.html
filmagrafy.kts25.com/ifafloruseta16.html
guider.xmm85.com/fifakuitro16.html
guider.jam92.com/ifagugehaler16.html
guider.queensland-bedlinen.com/ifigahugera16.html

No comments: