Outdated WordPress Sites Used to Deliver Teslacrypt Ransomware

Share this…

Heimdal Security researchers have observed a new ransomware campaign that utilizes the Neutrino exploit kit to deliver Teslacrypt ransomware to victims via websites running older version of the WordPress CMS.

Researchers also don’t rule out that the attack is carried out via other content management systems (CMSs) or outdated CMS plugins, but most of the observed instances used older WordPress versions.

According to the Heimdal research, attackers would first use known security holes in these outdated WordPress sites (or plugins) to compromise the system, and then inject malicious scripts in its source code.

Outdated WordPress Sites Used to Deliver Teslacrypt Ransomware

Neutrino exploit kit used together with the Teslacrypt ransomware

These scripts would redirect users to Web domains where instances of the Neutrino exploit kit was hosted.

The kit would then use the weapons in its arsenal, and leveraging security bugs in software like Adobe Flash Player, Adobe Reader, or Internet Explorer, would infect victims with a variant of the Teslacrypt ransomware.

Based on the Heimdal investigation, the thedancingbutterfly.com domain was used to store the malicious injected scripts, which would then redirect users to nkzppqzzzumhoap.ml, where the exploit kit was hosted.

The last domain is hosted in the Netherlands, on the servers of a Web hosting company that is known to have previously hosted other similar malicious campaigns.

In some cases, Teslacrypt downloads an infostealer as well

Once on the user’s computer, the Teslacrypt ransomware does what a ransomware does best, locking the user out of various files, and then leaving a .txt and .html file on the user’s desktop, explaining the steps needed to take, to get access back to the files.

In some cases, researchers also observed that the ransomware, besides encrypting files, also downloaded a Pony-based infostealer from the light-tech.pl domain.

Most of the infected WordPress domains are spotted in Danish-based websites, Heimdal’s Andra Zaharia reports.

Two weeks ago, a similar campaign using WordPress sites and the Neutrino exploit kit was detected delivering the CryptoWall ransomware.