Compromised WordPress and Joomla Sites Found Distributing Malware to Visitors

wordpress-joomla-ransomware-phishingAttackers were found using certain websites based on popular content management platforms WordPress and Joomla to spread malware. The attackers took advantage of weaknesses in extensions, plug-ins, and themes to hide and distribute malware and phishing pages through a hidden HTTPS directory.

Researcher Mohd Sadique from Zscaler published a report detailing how attackers are targeting content management systems (CMSs) WordPress and Joomla for hacking and content injection. Platform administrators were reportedly unaware of malware in a well-known hidden directory present on HTTPS sites distributing Shade ransomware and hosting phishing pages. Infections can be carried out via extensions, plug-ins, or themes.

The hidden directory in question is used to prove domain ownership as part of the certificate authority (CA) verification process. However, the directory is rarely reviewed, meaning, aside from the attackers relying on this hidden directory being present on most HTTPS sites, they can count on the malicious content being left undetected on the compromised sites for long periods.

Compromised WordPress sites were seen using vulnerable versions 4.8.9 up to the current 5.1.1. version. These versions are likely using outdated CMS themes or server-side software.

[READ: Technical analysis of WordPress RCE vulnerabilities CVE-2019-8942 and CVE-2019-8943]

Among the spike of detected malware, the researchers found Shade ransomware as one of the main threats being deployed to site visitors. Other malicious payloads include phishing pages, adware, and coin miners. Shade ransomware was also found being distributed through .EXE files named msg.jpg and msges.jpg. The ransomware typically spreads through malspam containing .ZIP attachments or pages containing HTML links that download the Zip file. The spam purports to be an order update coming from a Russian organization.

[Spam alert: SHADE ransomware being delivered via embedded links in PDF]

The phishing pages, on the other hand, were hosted under SSL-validated hidden directories and pop-ups to trick visitors into entering their user credentials. The campaign's pages were disguised as DHL, Dropbox, OneDrive, and Yahoo! Mail login pages, to name a few, for the malicious attempts.

Best practices for CMS users

Administrators are advised to regularly update the CMS or employ virtual patching to address vulnerabilities that have yet to receive patches. Habitually check the websites for exploitable vulnerabilities and disable or delete outdated or unused plug-ins. Admins should also consider stronger restrictions on users’ local admin access.

Users should likewise be wary of links and attachments, especially from unsolicited emails. Recipients should ignore spam email to avoid being infected with malware or redirected to phishing pages. Users should also practice basic security measures against email threats.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.