More bad WordPress, campaign switches from Nuclear EK to Angler EK

February 18, 2016

An ongoing malvertising attack that has been injecting malware into WordPress sites has now switched its malicious payload from a Nuclear exploit kit (EK) to an Angler EK.

Researcher Jerome Segura said a Wednesday Malwarebytes blog post that the payload switch occurred around Feb. 4 and that the campaign has also switched its url pattern from “admedia” to “megaadvertize.”

To evade honeypots and to insure the malware hits its intended target, the malicious url performs a fingerprint of the user's machine to check if they are running Internet Explorer browser and using a screen resolution greater than 800×600, the post said.

In one instance, Segura witnessed the malicious payload drop the TeslaCrypt ransomware.

Earlier this month, researchers noticed a spike in the number of compromised sites that were injected with malicious code attached to the end of legitimate JavaScript files. 

prestitial ad