Friday, September 25, 2015

Compromised WordPress Campaign - Spyware Edition

[Update - October 9, 2015] 

Multiple Drupal & Joomla sites affected..

The Spyware campaign we wrote about two weeks ago continues to be active, although the number of infected websites has gone down. We are also seeing two other popular Content Management Systems (CMS), Drupal and Joomla sites being compromised and leveraged in this campaign.

Spyware campaign hits from last 7 days

The compromised Joomla and Drupal site pages are injected with identical malicious JavaScript  redirecting users to the download of Spyware and Potentially Unwanted Applications as seen below:

Compromised Drupal Site with injected JavaScript

Compromised Joomla Site with injected JavaScript


The Zscaler security research team started investigating multiple WordPress related security events earlier this month and came across a new widespread compromised WordPress campaign leading to the download of unwanted applications. This has been briefly covered by dynamoo and has been reported by some users on official WordPress forums.

During our research, we discovered that this campaign started in the first week of August, 2015 and has been fairly active since then resulting in over 20,000 security events to date from over 2,000 web pages. Majority of the WordPress sites affected by this campaign are running latest version 4.3.1 but the compromise could have occurred prior to the update.

Figure 1: August 2015 WordPress Campaign hits

Figure 2: September 2015 WordPress Campaign hits

Infection Cycle

The infection starts when a user visits a compromised WordPress site. The compromised pages will have injected JavaScript shown below:

Figure 3: Injected malicious JavaScript code

The deobfuscated JavaScript code contains an iframe to the malicious server location:

Figure 4: Deobfuscated JavaScript containing the iframe

Although the target domains varied across the transactions that we saw, the associated server IP address has remained the same.

Target domains seen

The IP Address associated with these domains is hosted in Latvia through a VPS hosting provider.

The injected iframe loads additional JavaScript that gathers information such as current system timestamp, timezone, and presence of Adobe Flash Player.

Figure 5: User system information gathering script

Figure 6: Function to check the presence of Flash Plugin and version information

The collected information is relayed back to the same server via a HTTP GET request. This is followed by a series of redirects leading to download of spyware or potentially unwanted applications (PUA) masquerading as legitimate applications.

Figure 7: Redirects from Latvia VPS server leading to PUA download

Fake Flash Player - Win32.InstallCore

In one of the cases, we observed the user is prompted to update the Flash Player as seen below:

Figure 8: Out of date Flash Player warning
The page prompts the user to update or install a new flash player update. Regardless of the option the user selects, a fake Adobe Flash Player application is downloaded.

FileName : Adobe Flash Player.exe
MD5 : fa75abf137224fc2c60b9b3c35c80a5e

This file is a .NET Compiled executable which downloads and executes another setup file named FlashSetup.exe.

FileName : Flash Setup.exe
MD5: 87234af45b30740309c8bffcdf2167dc

Figure 9: Fake Flash Player download
The downloaded file flashsetup.exe is a variant of Potentially Unwanted Application Win32.InstallCore. During the installation of the Adobe Flash Player, several other websites offering other unwanted scareware applications are displayed. One such case where the spyware installer prompts the user to download and install Windows 7 PC Repair tool is shown below:
Figure 8: Scareware Windows 7 Repair utility

Figure 9: Download from third party sites & adware traffic from PUA

Once the spyware installation is complete, the user is redirected to the legitimate Adobe page indicating that the installation was not successful prompting the user to start over. If the user chooses to start over the installation, Adobe Flash Player will be installed from the genuine Adobe site.

Figure 10: User redirected to legitimate Adobe Flash Player

Fake MediaDownloader update - Win32.DownloadAssistant

In another case, the webpage prompts the user with a fake MediaDownloader software update which is a variant of PUA Win32.DownloadAssistant.

FileName: Setup.exe
MD5: a885f33c308721831498a2ac581bd91c
Figure 11: Fake MediaDownloader Update

The end result is same where a potentially unwanted application is downloaded and installed on the victim machine. These applications have the capability to download additional malicious or unwanted applications.

We also saw instances of fake web browser plugins being downloaded and installed. Below is an example of a Google Chrome Plugin - NewTabTV plus.

Figure 12: Fake Google Chrome Plugin download

The compromised sites involved in this campaign are distributed worldwide and not limited to one particular region.

Figure 13: Geo distribution of the compromised WordPress sites - September 2015


WordPress, being one of the most popular Content Management Systems & Blogging platform, remains an attractive target for cybercriminals. Unlike previous campaigns involving Malware Authors and Exploit Kit operators, the end payload getting served in this campaign involves spyware and potentially unwanted applications. These applications may seem innocuous but can facilitate malvertising based attacks through unsolicited advertisements.

Zscaler ThreatLabZ is actively monitoring this campaign and ensuring that Zscaler customers are protected.

Analysis by Jithin Nair and Sameer Patil

Wednesday, September 23, 2015

An Update on Nuclear (Reverse) Engineering


Although Angler continues to be the leading exploit kit, Nuclear is a significant threat to web surfers and seems to have been very active lately. ThreatLabZ recently encountered a Nuclear campaign originating from a variety of compromised sites. These compromises continue the trend of WordPress sites serving malcode, and in this case included the web-presence of a UK-based healthcare organization.

Example of recent Nuclear landing page to exploit cycle

The execution flow of this campaign is typical: an infected site includes an embedded iframe that loads the exploit kit landing page. The landing page checks the browser family and version and tests the available Flash version before choosing one of several exploit payloads. From here, multiple possible payloads may be downloaded, particularly Fareit Infostealer Trojan and Troldesh Ransomware Trojan.

Nuclear Landing

As covered recently, WordPress continues to be one of the most effective traffic sources for exploit kits. However, the majority of traffic we have seen does not feature the visitorTracker component, but merely includes a hidden iframe in the footer of the WordPress page.

The malicious iframe is preceded by a large number of blank lines

The iframe loads the landing page, which features obfuscated JavaScript and random-looking text blocks. It turns out that some of the random looking text blocks are actually obfuscated components that the JavaScript eventually deobfuscates and executes.

Lines 7 and 9 are overlaid with the script invocations that decode the HTML blocks

Nuclear Exploit Payloads

The landing pages we evaluated led to two possible Flash exploits as well as one Internet Explorer exploit. Specifically, we saw CVE-2015-5122 and CVE-2015-5560 exploits for Flash, and a highly obfuscated CVE-2014-6332 exploit for IE.

The first Flash payload stage checks Flash Player version and prepares the appropriate exploit

As noted by Kafeine, Nuclear has integrated the same Diffie-Hellman Angler first pioneered, only now it is implemented in Flash to protect the CVE-2015-5560 payload. This campaign also features an XTEA function with modified constants.

A Diffie-Hellman key exchange implementation is used to protect the new Flash payload

Besides making reverse engineers lives harder, the authors have also decided to include some friendly shoutouts to those analyzing their code. In the case of the featured Flash payloads, the string "fuckAV" is used as a special constant.

This function returns an XOR key when "fuckAV" is supplied as a parameter

Nuclear Fallout

Once the browser is exploited, Nuclear first drops a Fareit payload. Fareit is an infostealer, and as can be seen in the strings below, is looking to steal user credentials for multiple applications and websites as well as BitCoin wallet information.

A sample of the files and paths Fareit checks for user credentials

While stealing users information, Fareit attempts to hide its command and control communication by sending its check-in request in the midst of a batch of HTTP requests to innocuous looking websites.

After checking connectivity on, multiple POSTs are performed

In addition to the Fareit payload, a Troldesh ransomware payload was also seen. Troldesh is yet another in the line of ransomware families that encrypt user files and attempt to extract a ransom payments in exchange for decryption keys. This campaign is using the email addresses files100005(at) and files100006(at) and the Tor address a4yhexpmth2ldj3v.onion.

Troldesh bundles a Tor proxy to protect its communication

Although they might prefer to infect the machines of non-analysts, the Troldesh author does take the opportunity to greet their reverse engineer friends. This message is less aggressive than the greeting in the Nuclear flash payload.

Thanks, but I don't drink coffee!


While Nuclear may not be the exploit kit that regularly debuts the latest advances, the authors certainly make an effort to keep up with new exploits and new obfuscation techniques. ThreatLabZ will continue to monitor Nuclear (and Fareit and Troldesh) for any new developments or greetings.



Thursday, September 3, 2015

More Adult Themed Android Ransomware

During the course of our daily malware hunt, we came across a new mobile ransomware variant that leverages pornography to lure victims into downloading and installing it. We'd previously blogged about similar Android malware.

App Name: Adult Player
MD5: 6ed2451d1300ff75e793744bb3563638
Package Name: content.mercenary.chiffon

This ransomware acts as a porn app named "Adult Player" and lures victims who assume it is a pornographic video player. When the victim starts using it, the app silently takes a photo of the victim, which is then displayed on the ransomware screen, along with the ransom message. The app demands a ransom of 500 USD.

Admin Activation:
Upon opening the app, it asks for admin rights as shown below :
Admin privilege
After clicking "Activate", the app shows a fake update page but nothing really happens in terms of an update.

Fake update page

The malware then loads another APK named test.apk from it's local storage using a technique referred to as a reflection attack - /data/data/content.mercenary.chiffon/app_dex/test.apk.

Reflection is the ability of a program to examine and modify the behavior of an object at run time, instead of compile time.

APK stored in app's local storage
The specific reason for using reflection remains unknown but one reason could be to evade static analysis and detection.

Loading Test.apk

Personalized Ransom Screen:
The ransomware checks whether front camera is available or not. If available, it clicks photo of the victim while he/she is using the app and displays the image on ransom page.

Camera check
The majority of the malicious activities are then conducted by the newly loaded test.apk. The malware connects to the following hard-coded domains contained in the app:
  • hxxp://directavsecurity[.]com
  • hxxp://avsecurityorbit[.]com
  • hxxp://protectforavno[.]net
  • hxxp://trustedsecurityav[.]net
Hard-coded Domains
The malware then sends following details that includes victim's mobile device and operating system information to the remote server:
Data sent in requests

Ultimately, the malware receives a custom ransom page upon run time in a multi-encoded response from the aforementioned servers.

Decoded Ransom Message
Once the response is received, the ransomware locks the phone and displays the following ransom screen.
Ransom Page 1 (User Image Displayed Here)

Ransom Page 2

The ransom screen is designed to stay persistent even at reboot. It does not allow the user to operate the device and keeps the screen active with ransom message.

Broadcast Receiver acting on particular events

Preventing device from sleeping

More variants:
We also encountered additional apps belonging to this ransomware family and exhibiting similar functionality.

Sample MD5s:

  • ecd8c9eeae86c0d7d3c433e887fd5d3a
  • b544785176ed8152671bac94a18ca9d0
  • 9c731690985ce7c13ca9b25b9139d6a3

The ransomware is designed to stay stagnant on screen and does not allow the the victim to uninstall it. Rebooting the device does not work in such cases as ransomware app becomes active immediately after reboot, which leaves no scope for the victim to get into device "settings" and uninstall the ransomware.

In such scenarios, it can be removed by using the following steps:

  1. Boot device into safe mode (Please note that entering "safe mode" varies depending on your device). Safe mode boots the device with default settings without running third party apps.
  2. Uninstalling ransomware from device requires you to first remove administrator privilege. To do the same, go to Settings --> Security --> Device Administrator and select ransomware app, then deactivate.
  3. Once this is done, you can go to Settings --> Apps --> Uninstall ransomware app.

To avoid being victim of such ransomware, it is always best to download apps only from trusted app stores, such as Google Play. This can be enforced by unchecking the option of "Unknown Sources" under the "Security" settings of your device.