Incident Response, Malware, TDR

Compromised WordPress sites redirect visitors to Nuclear Exploit Kit

Thousands of websites – predominately WordPress websites – were compromised with malware code that ultimately redirects visitors to a landing page hosting the Nuclear Exploit Kit, according to Sucuri.

The security firm first began observing compromised websites on Sept. 7, but the daily infection rates were relatively low, a Friday post said. It was not until Tuesday that researchers saw daily infection rates soar into the thousands.

“The campaign is still going very strong and so far today we are seeing over 2,000 new [infected] sites,” Daniel Cid, CTO of Sucuri, told in a Friday email correspondence. “We assume the total number will be as high as yesterday when we finished the day – we identified over 7,000 sites yesterday.”

Cid said that the affected websites – 95 percent of which are WordPress websites – are likely being compromised by means of vulnerable plugins, but he did not have enough information to pinpoint specifically which plugins are being targeted.

“We are assuming they are using some of those pre-packaged exploit bundles and attempting every vulnerability they can to compromise the sites,” Cid said. “90 [percent] of the sites we investigated had at least one vulnerable plugin (or theme) that could allow for remote command execution.”

According to the post, Sucuri is referring to the threat as the VisitorTracker campaign due to the function name in the malware code that is added to all JavaScript files on the compromised websites.

The malware code “interacts with a secondary backdoor inside the site to force the browser to load a malicious iframe from one of their Nuclear Exploit Kit landing pages,” the post said, noting that the landing page domain changes very often.

Cid said the Nuclear Exploit Kit – which is typically used to infect vulnerable systems with malware – attempts to exploit vulnerabilities in a variety of products, including Flash, Java, QuickTime, and Adobe Reader.

“Out of all the sites we detected to be compromised, 17 [percent] of them already got blacklisted by Google and other popular blacklists,” the post said. “If you are a WordPress user, make sure you keep all your plugins updated, including premium ones.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.