Compromised WordPress Sites Stealing Credentials with Keylogger

Introduction WordPress compromises have become almost a mundane occurrence in the security industry. The ease and relative simplicity with which one can set up a WordPress instance, coupled with the multitude of available plugins, allows relatively inexperienced users to deploy a functional website quickly and with little hassle. Unfortunately, within this ever-growing library of plugins are many that - through neglect, incompetence, or both - fail to protect against various security threats. Exacerbating this issue are the thousands (millions?) of WordPress users who neglect to apply available security patches to the sites they administer. The result of this situation is the condition of the modern Internet that security researchers have to deal with daily: web sites using WordPress compromised by malicious actors to serve victims with malware, host phishing pages, redirects to exploit kits, and harvesting of credentials. While the frequency of these occurrences causes most of these campaigns to seem mundane and unremarkable, occasionally we discover a noteworthy variation that warrants public attention and analysis. WordPress Keylogger and Coin Miner Several months ago, researchers discovered a WordPress infection campaign that injected a JavaScript keylogger into compromised sites’ pages, recording the keystrokes of both users and administrators. The injected scripts also launched cryptocurrency mining...
Read more

Top Exploit Kit Activity Roundup – Winter 2018

Overview: This is the seventh in a series of blogs collecting the recent activity of the current top exploit kits. Exploit kits are rapidly deployable software packages designed to leverage vulnerabilities in web browsers to deliver a malicious payload to a victim’s computer. Authors of exploit kits offer their services for sale, distributing malware for other malicious actors. Find our previous roundup here. RIG Exploit Kit RIG EK has maintained its position as the most active exploit kit, but overall volume of RIG traffic was down over the fall quarter. In November, RIG activity declined significantly, and this trend continues throughout December. RIG continues to install ransomware, banking trojans, and cryptocurrency mining software on vulnerable systems. Figure 1: RIG hits, September 2017 – December 2017 Figure 2: RIG Heat Map Though still consistently active, the volume of RIG activity dropped significantly in November 2017. Global distribution of RIG activity has also changed since our last roundup. For the last quarter, virtually all observed RIG traffic has been within the United States, Russia, and Japan. This was unexpected, as previous analyses had shown an appreciable amount of activity in Europe, the rest of the Americas, and Southeast Asia. Among the number of concurrent RIG campaigns this year, the...
Read more

Top Exploit Kit Activity Roundup – Summer 2017

Overview: This is the third installment in a series of blogs highlighting the recent activity of the top exploit kits. Exploit kits (EKs) are rapidly deployable software packages designed to leverage vulnerabilities in web browsers to deliver a malicious payload to a victim’s computer. EK authors offer their services for sale, distributing malware for other malicious actors. In this blog, we will be looking at the most active EKs, including RIG, Magnitude, Terror, and the newest arrival - Disdain. You can read our roundup from spring 2017 here. RIG Exploit Kit RIG remains the most consistently active exploit kit, distributed over several simultaneous campaigns to install ransomware, banking Trojans, and cryptocurrency mining software on vulnerable systems. In the latter part of spring, we saw a small decline in RIG activity; however, since then, we observed generally steady RIG traffic, with the exception of small spikes in June and August. Figure 1: RIG hits, June 2017 – August 2017 Figure 2: RIG heat map, June 2017 – August 2017 The distribution of RIG hosts remains somewhat similar to previous reports, although the activity we observed in Southeast Asia and South America earlier this year was absent this quarter. In addition, the last three months show an increase in the RIG...
Read more