Thousands of hacked sites infect visitors’ computers with malicious software

Thousands of sites hacked and infect visitors’ computers with malware

The other day it became known that a Hackers hacked several thousands of different sites by downloading malware to servers. It was done in order to infect the user PCs when they visited their compromised website. The hack campaign was carefully disguised, and was held at least a few months ago.

Most hacked sites are built on open seorse CMS as WordPress, Joomla and SquareSpace . Information about the incident was provided by the information security specialist Jerome Segura, from Malwarebytes. Hackers, he said, have done quite forethought. Infected sites showed visitors phishing messages about the need to install an update for Firefox, Chrome or Flash.

In order to avoid detection, each IP from which fake notifications were sent was used no more thanone time for one visitor. In addition, notification templates were downloaded to the server of hacked sites, so most of the data came from a “white” resource that was not entered into any of the phishing or otherwise dangerous addresses
Interestingly, those who agreed with the update and clicked on the message automatically became victims of a malicious JavaScript file that is downloaded from the DropBox. This scripting was later looking for presence of virtual machine or “sandbox” features, and if nothing was found, then the download of the final malware, the executable file, signed with a valid digital certificate began.

Such tactics yielded good results – not a lot of people were suspicious (we will not forget that most users are not specialists in information security at all), so the virus hit thousands of systems. And, by the way, the JavaScript file has been obfuscated, so its analysis by conventional methods is difficult. In addition to it, attackers used software such as Chlow’s bank malware and the affected version of NetSupport – it is generally a “white” application, which normally gives remote access to the user’s system.

Specialists from Malwarebytes could not determine exactly how many websites could compromise. Representatives of the company wrote a special spider script, which for certain signs “understood” the presence of infection and informed the creators about it. He, in particular, showed that hundreds of WordPress and Joomla sites are infected. You can also check for yourself on this simple request. There is an assumption that the campaign to spread the malware was launched no later than 20 December 2017. Attackers were able to infect resources whose servers or CMS were not updated.

The attack itself was very thought-out, and therefore attracted the attention of information security specialists. Attackers managed to deceive many security systems, which usually block this type of attack.