More bad WordPress, campaign switches from Nuclear EK to Angler EK

A Malwarebytes researcher spotted malvertising campaign aimed at WordPress switching its malicious payload and url pattern.
A Malwarebytes researcher spotted malvertising campaign aimed at WordPress switching its malicious payload and url pattern.

An ongoing malvertising attack that has been injecting malware into WordPress sites has now switched its malicious payload from a Nuclear exploit kit (EK) to an Angler EK.

Researcher Jerome Segura said a Wednesday Malwarebytes blog post that the payload switch occurred around Feb. 4 and that the campaign has also switched its url pattern from “admedia” to “megaadvertize.”

To evade honeypots and to insure the malware hits its intended target, the malicious url performs a fingerprint of the user's machine to check if they are running Internet Explorer browser and using a screen resolution greater than 800×600, the post said.

In one instance, Segura witnessed the malicious payload drop the TeslaCrypt ransomware.

Earlier this month, researchers noticed a spike in the number of compromised sites that were injected with malicious code attached to the end of legitimate JavaScript files. 

You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS