A group of hackers found by Dr.Web is actively attacking several WordPress sites to dump malware and steal sensitive information. This attack in the wild is targeting users by their geographical locations and browsing preferences to reroute them for downloading a fake Chrome update and compromise further.
The group behind these attacks was also involved in spreading fake VSDC video editor installers, and this time gaining the admin panel directly. Dr.Web reports these attacks are active for a long time and are creating an infection chain. They’re first targeting vulnerable WordPress users to download a fake security update so as to create a backdoor for dumping malware. Here’s how it goes;
Modus Operandi
Firstly, WordPress users are targeted based on their locations and browser preferences. These are to be Chrome browser users from the USA, Canada, Australia, Great Britain, Israel, and Turkey. Attackers send phishing emails that make users believe in a fake security update and download it, which is actually a malicious installer. And when did, this installer creates a folder in %userappdata% directory, which contains files for TeamViewer remote control application, and also opens two password-protected SFX archives.
These two archives have the purpose of dumping malicious msi.dll library and for evading detections. The malicious library allows the attacker to make unauthorized connections and a batch file launching Google.com’s start page. Whereas the second archive has a script to bypass Windows Defender and let the attacker’s process go smoothly. And the TeamViewer files reported previously, have the purpose of hiding the attacker’s traffic via its files, thus being legitimate.
After all, the backdoors created by attackers is used for further exploitation as dumping X-Key loggers for exporting keys, An RDP trojan for remote controlling the site and a Predator malware for stealing credentials. Users are advised to check for legitimate updates to avoid such attacks as if they did turn out, viewers visiting those infected sites and submitting any details too are vulnerable later.
Source: Dr.Web
