Ransomware scum add Joomla to their list

'Admedia' campaign decides the world of WordPress is not enough. Bwaha. Bwahahahaha!


The Internet Storm Center (ISC) has spotted 'admedia attacks' breaking out of their original WordPress vectors.

According to a post late last week, the ISC (courtesy of author Brad Duncan) posted that “the group behind the WordPress 'admedia' campaign” is now attacking Joomla-hosted sites.

The other evolution in the campaign, Duncan notes, is that since it was first noticed at the beginning of this month mostly dropping the Nuclear exploit kit on target sites, it's now added Angler.

Duncan, who is also a security researcher at Rackspace, also notes that the attackers have started using “megaadvertize” in their gateway URLs (instead of “admedia” as was used when the attack was first spotted).

The technique, however, stays the same: the target site is compromised to generate hidden iframes in visitors' browsers, and the malicious URLs act as a “gate between the compromised Website and the EK [exploit kit – The Register] server”.

The overall process, however, remains the same. For example:

  • 178.62.122.211 - img.belayamorda.info - admedia gate;
  • 185.46.11.113 - ssd.summerspellman.com - Angler EK
  • 192.185.39.64 - clothdiapersexpert.com - TeslaCrypt callback traffic

As before, Duncan writes, a script injection was the initial attack, with the JavaScript files from the compromised site carrying appended malicious scripts. From there it's a short walk to ransomware hell. ®


Other stories you might like

  • Conti spotted working on exploits for Intel Management Engine flaws
    Don't leave those firmware patches to last

    The notorious Conti ransomware gang has working proof-of-concept code to exploit low-level Intel firmware vulnerabilities, according to Eclypsium researchers.

    Recently leaked Conti documents show the criminals developed the software more than nine months ago, and this is important because exploiting these kinds of weaknesses expands the extend and depth of an intrusion, the firmware security shop's analysis noted.

    Specifically, we're told, Conti came up with code that targeted the Intel Management Engine (ME), a tiny hidden computer – with its own CPU, OS and software – within a processor chipset that runs independently from the main cores and provides various features including out-of-band management. The ME has total control over the box, so if you manage to compromise the ME, you'll be able to persistently infect and affect the machine below the operating system and its defenses.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Ransomware encrypts files, demands three good deeds to restore data
    Shut up and take ... poor kids to KFC?

    In what is either a creepy, weird spin on Robin Hood or something from a Black Mirror episode, we're told a ransomware gang is encrypting data and then forcing each victim to perform three good deeds before they can download a decryption tool.

    The so-called GoodWill ransomware group, first identified by CloudSEK's threat intel team, doesn't appear to be motivated by money. Instead, it is claimed, they require victims to do things such as donate blankets to homeless people, or take needy kids to Pizza Hut, and then document these activities on social media in photos or videos.

    "As the threat group's name suggests, the operators are allegedly interested in promoting social justice rather than conventional financial reasons," according to a CloudSEK analysis of the gang. 

    Continue reading

Biting the hand that feeds IT © 1998–2022