February 12, 2014 By Dancho Danchev

Malicious campaign relies on rogue WordPress sites, leads to client-side exploits through the Magnitude exploit kit

In a cybercrime ecosystem populated by commercially available WordPress brute-forcing and mass vulnerable WordPress installation scanning tools, cybercriminals continue actively capitalizing on the platform’s leading market share within the Content Management System’s market segment. Successfully exploiting tens of thousands of installations on a daily basis, for the purpose of utilizing the legitimate infrastructure to achieve their fraudulent/malicious campaign objectives, the tactic is also largely driven by the over-supply of compromised/accounting data, usually embedded within sophisticated Web-based attack platforms like the ones we’ve profiled in the past.

We’ve recently intercepted a malicious campaign exclusively relying on rogue WordPress sites, ultimately serving client-side exploits to users through the Magnitude Web malware exploitation kit. Despite its relatively low profile in terms of proliferation — we believe the campaign is in its early stages — it exposes a pseudo-randomly generated sub-domains based fraudulent infrastructure that is worth keeping an eye on.

Sample rogue WordPress sites participating in the campaign:
hxxp://glinkinart.com/wp-includes/class-wp-ajax.php
hxxp://nextgenerationvcf.com/wp-includes/class-wp-ajax.php
hxxp://gilesbytitle.com/wp-includes/class-wp-ajax.php
hxxp://webclaritydev1.com/wp-includes/class-wp-ajax.php
hxxp://studyithere.com/wp-includes/class-wp-ajax.php
hxxp://virtualpmllc.com/wp-includes/class-wp-ajax.php
hxxp://caretubedin.com/wp-includes/class-wp-ajax.php
hxxp://asiandredgecon.com/wp-includes/class-wp-ajax.php
hxxp://allurearquitetura.com/wp-includes/class-wp-ajax.php
hxxp://fallinshadow.com/wp-includes/class-wp-ajax.php
hxxp://best-luxury-escapes.com/wp-includes/class-wp-ajax.php
hxxp://drmpeter.com/wp-includes/class-wp-ajax.php
hxxp://webclaritydev1.com/wp-includes/class-wp-ajax.php
hxxp://paradigm-markets.com/wp-includes/class-wp-ajax.php
hxxp://balancekw.com/wp-includes/class-wp-ajax.php
hxxp://web-wide-banners.com/wp-includes/class-wp-ajax.php
hxxp://torgtov.com/wp-includes/class-wp-ajax.php
hxxp://theglossproject.com/wp-includes/class-wp-ajax.php
hxxp://sedonawildflowerinn.com/wp-includes/class-wp-ajax.php
hxxp://webclaritydev1.com/wp-includes/class-wp-ajax.php
hxxp://theglossproject.com/wp-includes/class-wp-ajax.php
hxxp://sedonawildflowerinn.com/wp-includes/class-wp-ajax.php
hxxp://glinkinart.com/wp-includes/class-wp-ajax.php
hxxp://topmedigap.com/wp-includes/class-wp-ajax.php
hxxp://torgtov.com/wp-includes/class-wp-ajax.php

Sample exploitation chain: hxxp://glinkinart.com/wp-includes/class-wp-ajax.php -> hxxp://faq-seo.ru/1/a (109.236.87.219) -> hxxp://huatongchuye.com/lang/en/pay/apay.php (128.134.244.74) -> hxxp://ad54.feb5.e12.b1.40ce76b.15d.4b23cc.392.sjtfonaoavll.blowfaster.pw -> hxxp://190.162.183.78:33816/11957/0pyvniriz/index.php

Sample pseudo-randomly generated sub-domains, currently parked within 184.172.109.156; 184.172.109.157 and 66.55.157.197:
hxxp://ad54.feb5.e12.b1.40ce76b.15d.4b23cc.392.sjtfonaoavll.blowfaster.pw
hxxp://19d5.5c5ce0.d91.b32d89b.a1f7.764ca4.d0.aazwmkkekfgm.blowfaster.pw
hxxp://a38363.5f612.76.5245.1b062b8.4b.eb367.c.cakfcdhymp.remainsfilled.pw
hxxp://925164.77.2944.790b6ca.54b9.76e8.d5.b8f.cnsmjkyrjlv.eyesproperties.pw/
hxxp://86c9.b6.4b52b.78.1deb.68.1914308.fdc6c7.myugnpbtpcfq.settledevices.pw

Related domains known to have responded to 109.236.87.219 in the past:
ns3.regdom.name
ns4.regdom.name
faq-seo.ru
nextgenasic.com
masterperevodov.ru
51region.net
adelante-tour.com
advokati24.ru
20asicminersoft.com
atakent.ru
bazagibdd.com
boxinghit.ru
canfamilypharmacy.com
ci.gmfcloan.com
faq-seo.ru
filmgadaika.ru
forumcnc.ru
freetraffcounter.com
gta5new.info
hardwarez.in
hd720pfilm.ru
hyiper.in
jomlajavascript.ru
jqueryjsscript.ru
login-odnoklassniki.ru

Related domains known to have responded to 128.134.244.74 in the past:
bigfish.im
huatongchuye.com
qinghuo.net
quanxiejiu.com
rsjy.org
huatongchuye.com

Detection rate for a sample exploit:
MD5: 03c9f22080a3f8cfbfc80d78483c1e21 – detected by 4 out of 45 antivirus scanners as HEUR:Exploit.Java.Generic

Webroot SecureAnywhere users are proactively protected from these threats.

Share Button
true