More bad WordPress, campaign switches from Nuclear EK to Angler EK
A Malwarebytes researcher spotted malvertising campaign aimed at WordPress switching its malicious payload and url pattern.
An ongoing malvertising attack that has been injecting malware into WordPress sites has now switched its malicious payload from a Nuclear exploit kit (EK) to an Angler EK.
Researcher Jerome Segura said a Wednesday Malwarebytes blog post that the payload switch occurred around Feb. 4 and that the campaign has also switched its url pattern from “admedia” to “megaadvertize.”
To evade honeypots and to insure the malware hits its intended target, the malicious url performs a fingerprint of the user's machine to check if they are running Internet Explorer browser and using a screen resolution greater than 800×600, the post said.
In one instance, Segura witnessed the malicious payload drop the TeslaCrypt ransomware.