Search This Blog

Showing posts with label WordPress hacks. Show all posts

Hackers Linked to Palestine Use the New NimbleMamba Malware


A Palestinian-aligned hacking organization has used a novel malware implant to target Middle Eastern governments, international policy think tanks, and a state-affiliated airline as part of "highly focused intelligence collecting activities." The discoveries by Proofpoint researchers detail the recent actions of MoleRATs in relation to a renowned and well-documented Arabic-speaking cyber organization, and the ongoing installation of a new intelligence-gathering trojan known as "NimbleMamba." 

To verify all infected individuals are within TA402's target zone, NimbleMamba employs guardrails. The Dropbox API is used by NimbleMamba both to control and also data leakage. The malware also has a number of features that make automated and human analysis more difficult. It is constantly in creation, well-maintained, and is geared to be employed in highly focused intelligence collection programs. 

MoleRATs, also known as TA402, operators are "changing the methodologies while developing these very neatly done, specialized and well-targeted campaigns," according to Sherrod DeGrippo, Proofpoint's vice president of threat analysis and detection. 

Reportedly, TA402 sends spear-phishing emails with links to malware distribution sites. Victims should be inside the scope of the attack, otherwise, the user will be rerouted to credible sources. A version of NimbleMamba is dumped on the target's machine inside a RAR file if its IP address fulfills the selected targeted region. Three separate attack chains were discovered, each with minor differences in the phishing lure motif, redirection URL, and malware-hosting sites. 

In the most recent attacks, the perpetrators pretended to be the Quora website in November 2021. The customer would be rerouted to a domain that served the NimbleMamba virus if the target system's IP address fell under one of around two dozen geofenced country codes. The user would be sent to a respectable news source if this was not the case. 

Another effort, launched in December 2021, employed target-specific baits including medical data or sensitive geopolitical information, and delivered malware via Dropbox URLs.

In yet another campaign, which ran from December to January, the hackers employed different baits for each victim but delivered malware via a hacker-controlled WordPress URL. The hacker-controlled URL only enabled attacks on targets in specific nations. 

NimbleMamba contains "various capabilities intended to confuse both automatic and manual analysis," reiterating that the malware "currently being produced, is well-maintained, and tailored for use in highly focused intelligence collection programs," the researchers told. 

The GootLoader Hackers are After Law Firms and Accounting Firms


GootLoader is a piece of initial access malware that allows its operators to install a variety of other malware families, including ransomware, on affected devices. It was first discovered in December 2020. The GootLoader hacking organization has been primarily targeting personnel at law and accounting firms in recent weeks, with the most recent attack occurring on January 6. So far, eSentire claims to have intercepted three such assaults. Potential victims are directed to hacked genuine websites that include hundreds of pages of business-related content, including free document samples for download, but they are instead infected with GootLoader. 

GootLoader is distributed using Drive-By-Download programmes, which are driven by SEO, specifically through Google. The hackers are enticing business professionals to authentic but compromised websites that they have packed with hundreds of pages of content, including multiple connections to business agreements, including legal and financial agreements, in these recent attacks.
The content claims to provide free downloads of these documents. eSentire's Threat Response Unit (TRU) discovered that the GootLoader hackers set up over 100,000 malicious webpages marketing various forms of commercial deals during an intensive GootLoader campaign that began last December. 

How are the GootLoader threat actors able to infiltrate reputable websites with hundreds of pages of malicious content? 

Tragically, it is just too simple. Hundreds of legitimate websites employing WordPress as the content management system have been detected by the GootLoader gang. WordPress, like many other content management systems, has several vulnerabilities, which hackers may simply exploit to load websites with as many harmful pages as all without the knowledge of the website owner. These websites, according to the TRU team, encompass a wide spectrum of industries, including hotel, high-end retail, education, healthcare, music, and visual arts. 

"The abundance of content that threat actors have pushed onto the web, when professional looks for a sample business agreement on Google, the hackers' malicious web pages appear in the top Google searches," said Keegan Keplinger, TRU's research and reporting lead. 

Three law businesses and an accounting firm were targeted by the cybersecurity services provider, which said it intercepted and demolished the attacks and the victims' identities have not been revealed. Organizations should implement a vetting process for business agreement samples, train staff to open documents only from reputable sources, and confirm that the content downloaded matches the content intended for download.

Wordpress Websites Compromised; Injected With JavaScript Code

A recent decision from Google to prohibit technical support advertisements from unverified operators leads to the trading off of thousands of Wordpress websites on the while being injected with JavaScript code that side-tracks users to these technical support scam pages.

Jérôme Segura of Malwarebytes was the one who pinned the attacks as they began in early September. He observed a substantial encoded ad spot, usually in the HTML header, or one line of code indicating the external JavaScript code.

The code in the HTML header would deobfuscate to something like this:

Attackers utilize the technique in order to imitate the practices of lawful organizations and use a legit advertisement platform for the promotion of their technical support services, which additionally paints them as reliable according to the potential victim.

The as of late observed attacks take after the classic formula to persuade users to call for technical support: a divert to a page demonstrating a notice about viruses running uncontrolled on the PC, and an advantageous toll-free support phone number.

Segura while talking with the Bleeping Computer says that, "We are  pushing ads for some geolocations and user agents, we’ve also seen campaigns designed to redirect to websites that inject the CoinHive JavaScript miner, allowing the attacker to spend the resources of users' computers to mint Monero cryptocurrency for as long as the compromised page is opened.”

A few sites apart from Malwarebytes have also likewise recognized the compromised 'wp_posts' table of the WordPress database, which stores all the content posts, pages, and their corrections, alongside navigation menu item, media records, and substance utilized by plugins.

WordPress Automatic update won't help in cleaning malicious files

Cyber criminals compromise more than 1000 wordpress websites and modified the Automatic update features , redirect visitors to malicious sites,e-commerce sites or low quality PPC search result aggregators.

Hackers managed to compromise the 'wp-admin/includes/update.php' file and modified the 'wp_update_core' ,which is used by the WordPress Automatic Update feature.

 This function checks for available updates ,downloads new files and replace the old files in order to complete wordpress upgrades. When malicious code in the 'wp_update_core' function begins to work. It reinfects the just-updated and new wp-settings.php file.

"So if you thought that WordPress upgrade could only make you blog more clean – you were wrong. If your blog was infected before the upgrade and hasn’t been completely cleaned up, the upgrade itself may even reinfect files that were clean before the upgrade" Denis Sinegubko, the founder of the helpful Unmask Parasites website said.

"Manual upgrades and upgrades via SVN are still completely safe. By the way, not only are SVN updates safe but they are also nearly as simple as automatic updates (one simple command) and provide built-in integrity control, so you can easily identify all changed and potentially infected code WordPress files and have them reverted to their original state." he concludes.

TimThumb vulnerability in Wordpress leads to malware infection

Last month, Thousands of Wordpress  sites infected by malware , discovered by Armorize. Avast Researchers investigate this hack and conclude that Blackhole exploit kit made by Russian Developers and available for $1500 in black market.

The Vulnerability in non-updated TimThumb allows attackers to upload and execute arbitrary PHP code in the TimThumb cache directory which will download other malicious files. But this is not the only way for example they use stolen passwords to direct FTP changes.

In your FTP, alongside other site files, a new file will appear that looks like this: ./wp-content/w3tc/min/a12ed303.925433.js or ./wp-includes/js/l10n.js

These scripts redirects to a new site where the Black Hole exploit kit is located. The victim is then served a JAR file, that will deploy other malicious downloads to the infected system.


50000 WordPress Sites infected with spam

The attack consists of contacting the domain to get a list of links to be displayed on the compromised sites. However, that domain has been down for the last few days and all the sites compromised. These sites supposed to be compromised. Most of the hacked sites had outdated versions of WordPress installed.

Infected sites have following message at Footer :
Warning: file_get_contents( 47509328/p.php?host=… failed to open stream: php_network_getaddresses: getaddrinfo failed: Name or service not known in ..

WordPress Photoracer Plugin Vulnerable to XSS and SQL Injection

A Hacker known as "Pr0T3cT10n" found the multiple vulnerability in WordPress Photoracer Plugin. plugin is vulnerable to XSS(cross site Scripting) and SQLi(SQL Injection), Tested on Wordpress 3.2 Hebrew, Photoracer 1.0.


Update: looks like the plugin is removed from wordpress