Incident Response, TDR, Threat Management, Vulnerability Management

More bad WordPress, campaign switches from Nuclear EK to Angler EK

An ongoing malvertising attack that has been injecting malware into WordPress sites has now switched its malicious payload from a Nuclear exploit kit (EK) to an Angler EK.

Researcher Jerome Segura said a Wednesday Malwarebytes blog post that the payload switch occurred around Feb. 4 and that the campaign has also switched its url pattern from “admedia” to “megaadvertize.”

To evade honeypots and to insure the malware hits its intended target, the malicious url performs a fingerprint of the user's machine to check if they are running Internet Explorer browser and using a screen resolution greater than 800×600, the post said.

In one instance, Segura witnessed the malicious payload drop the TeslaCrypt ransomware.

Earlier this month, researchers noticed a spike in the number of compromised sites that were injected with malicious code attached to the end of legitimate JavaScript files. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.