Thousands of hacked sites infect visitors' computers with malicious software.

The other day it became known that a team of intruders hacked several thousand different sites by downloading malware onto servers. This is done in order to infect user PCs when their owners visit a compromised resource. The hacks were not held yesterday, the campaign was carefully camouflaged, and held at least a few months ago.

The resources on CMS such as WordPress, Joomla and SquareSpace were mostly amazed. Information about the incident provided information security specialist Jerome Segura, working in the company Malwarebytes. Hackers, he said, did quite prudently. Infected sites showed visitors messages about the need to install an update for Firefox, Chrome, or Flash.

In order to avoid detection, each IP from which fake notifications were sent was used no more than once for one visitor. In addition, notification templates were uploaded to servers of hacked sites, so most of the data came from a “white” resource, which was not listed in any of the phishing databases or addresses that were otherwise dangerous.
')
Interestingly, those who agreed to the update and clicked on the message automatically became victims of a malicious JavaScript file downloaded from DropBox. This script later looked for the presence of signs of a virtual machine or sandbox, and if nothing of the kind was detected, then the download of the final malware, an executable file signed with a valid digital certificate began.

Such tactics gave quite good results - the notification was not very suspicious to anyone (let's not forget that the majority of users are not information security specialists at all), so the virus affected thousands of systems. And, by the way, the JavaScript file was obfuscated, so that its analysis by conventional methods is difficult. In addition to it, the attackers used software such as Chthonic banking malware and the built-in version of NetSupport - this is generally a “white” application, which in the normal situation allows remote access to the user's system.


This is how the browser “update” process looked.

Experts from Malwarebytes could not accurately determine how many websites were able to compromise the attackers. Representatives of the company wrote a special spider script that, for certain reasons, "understood" the presence of the infection and informed the creators about it. In particular, he showed that hundreds of Wordpress and Joomla websites are infected. You can check yourself here for this simple request . There is an assumption that the campaign to spread the malware was launched no later than December 20 last year. The attackers were able to infect resources whose servers or CMS were not updated.

The attack itself was very thoughtful, and therefore attracted the attention of information security experts. The attackers managed to fool many protection systems that usually block this kind of attack.

By the way, owners sometimes hack their own websites. For example, some of them add a cryptominer code in order to earn some money. This is called cryptojacking - the imperceptible mining of cryptocurrency on the computers of site visitors. In such a scheme of earnings there is nothing terrible, if not for one "but."

The first is that in most cases, visitors simply are not notified that their computers will now mine cryptocurrency. The most interesting thing is that even the owners of online stores, resources that by default should be deprived of third-party advertising or monetization schemes, set the script for encryption Coinhive. At the end of 2017, Coinhive was installed on several thousand e-commerce sites.

In fairness, it must be said that many online stores are still hacked, and their owners do not know anything about cryptojacking. Moreover, the study of Willem de Grot showed that in 80% of cases not only the Coinhive script was installed on these resources, but also various skimming threats - copying the details of bank payment cards of store customers.