In a cybercrime ecosystem populated by commercially available WordPress brute-forcing and mass vulnerable WordPress installation scanning tools, cybercriminals continue actively capitalizing on the platform’s leading market share within the Content Management System’s market segment. Successfully exploiting tens of thousands of installations on a daily basis, for the purpose of utilizing the legitimate infrastructure to achieve their fraudulent/malicious campaign objectives, the tactic is also largely driven by the over-supply of compromised/accounting data, usually embedded within sophisticated Web-based attack platforms like the ones we’ve profiled in the past.
We’ve recently intercepted a malicious campaign exclusively relying on rogue WordPress sites, ultimately serving client-side exploits to users through the Magnitude Web malware exploitation kit. Despite its relatively low profile in terms of proliferation — we believe the campaign is in its early stages — it exposes a pseudo-randomly generated sub-domains based fraudulent infrastructure that is worth keeping an eye on.
Sample rogue WordPress sites participating in the campaign:
hxxp://glinkinart.com/wp-includes/class-wp-ajax.php
hxxp://nextgenerationvcf.com/wp-includes/class-wp-ajax.php
hxxp://gilesbytitle.com/wp-includes/class-wp-ajax.php
hxxp://webclaritydev1.com/wp-includes/class-wp-ajax.php
hxxp://studyithere.com/wp-includes/class-wp-ajax.php
hxxp://virtualpmllc.com/wp-includes/class-wp-ajax.php
hxxp://caretubedin.com/wp-includes/class-wp-ajax.php
hxxp://asiandredgecon.com/wp-includes/class-wp-ajax.php
hxxp://allurearquitetura.com/wp-includes/class-wp-ajax.php
hxxp://fallinshadow.com/wp-includes/class-wp-ajax.php
hxxp://best-luxury-escapes.com/wp-includes/class-wp-ajax.php
hxxp://drmpeter.com/wp-includes/class-wp-ajax.php
hxxp://webclaritydev1.com/wp-includes/class-wp-ajax.php
hxxp://paradigm-markets.com/wp-includes/class-wp-ajax.php
hxxp://balancekw.com/wp-includes/class-wp-ajax.php
hxxp://web-wide-banners.com/wp-includes/class-wp-ajax.php
hxxp://torgtov.com/wp-includes/class-wp-ajax.php
hxxp://theglossproject.com/wp-includes/class-wp-ajax.php
hxxp://sedonawildflowerinn.com/wp-includes/class-wp-ajax.php
hxxp://webclaritydev1.com/wp-includes/class-wp-ajax.php
hxxp://theglossproject.com/wp-includes/class-wp-ajax.php
hxxp://sedonawildflowerinn.com/wp-includes/class-wp-ajax.php
hxxp://glinkinart.com/wp-includes/class-wp-ajax.php
hxxp://topmedigap.com/wp-includes/class-wp-ajax.php
hxxp://torgtov.com/wp-includes/class-wp-ajax.php
Sample exploitation chain: hxxp://glinkinart.com/wp-includes/class-wp-ajax.php -> hxxp://faq-seo.ru/1/a (109.236.87.219) -> hxxp://huatongchuye.com/lang/en/pay/apay.php (128.134.244.74) -> hxxp://ad54.feb5.e12.b1.40ce76b.15d.4b23cc.392.sjtfonaoavll.blowfaster.pw -> hxxp://190.162.183.78:33816/11957/0pyvniriz/index.php
Sample pseudo-randomly generated sub-domains, currently parked within 184.172.109.156; 184.172.109.157 and 66.55.157.197:
hxxp://ad54.feb5.e12.b1.40ce76b.15d.4b23cc.392.sjtfonaoavll.blowfaster.pw
hxxp://19d5.5c5ce0.d91.b32d89b.a1f7.764ca4.d0.aazwmkkekfgm.blowfaster.pw
hxxp://a38363.5f612.76.5245.1b062b8.4b.eb367.c.cakfcdhymp.remainsfilled.pw
hxxp://925164.77.2944.790b6ca.54b9.76e8.d5.b8f.cnsmjkyrjlv.eyesproperties.pw/
hxxp://86c9.b6.4b52b.78.1deb.68.1914308.fdc6c7.myugnpbtpcfq.settledevices.pw
Related domains known to have responded to 109.236.87.219 in the past:
ns3.regdom.name
ns4.regdom.name
faq-seo.ru
nextgenasic.com
masterperevodov.ru
51region.net
adelante-tour.com
advokati24.ru
20asicminersoft.com
atakent.ru
bazagibdd.com
boxinghit.ru
canfamilypharmacy.com
ci.gmfcloan.com
faq-seo.ru
filmgadaika.ru
forumcnc.ru
freetraffcounter.com
gta5new.info
hardwarez.in
hd720pfilm.ru
hyiper.in
jomlajavascript.ru
jqueryjsscript.ru
login-odnoklassniki.ru
Related domains known to have responded to 128.134.244.74 in the past:
bigfish.im
huatongchuye.com
qinghuo.net
quanxiejiu.com
rsjy.org
huatongchuye.com
Detection rate for a sample exploit:
MD5: 03c9f22080a3f8cfbfc80d78483c1e21 – detected by 4 out of 45 antivirus scanners as HEUR:Exploit.Java.Generic
Webroot SecureAnywhere users are proactively protected from these threats.
What’s up, I check your blogs daily. Your humoristic style is awesome, keepdoing what you’re doing!
Thanks for sharing, this is a fantastic blog post.Thanks Again. Awesome.