Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Joomla now a target of Admedia ransomware

Joomla now a target of Admedia ransomware

by Nikola Strahija on February 22nd, 2016 ISC posted that the group behind the WordPress admedia ransomware campaign is now attacking Joomla-based websites.


Earlier this month Sucuri blog reported a spike in compromised WordPress websites which were generating hidden iframes. A common string within these malicious URLs was "admedia". These malicious URLs act as a gate between the compromised website and the EK server (Exploit Kit server). While the EK traffic associated with this campaign generally sent TeslaCrypt ransomware, the attacked websites were all ran on WordPress.However, attack and deployment vectors of this ransomware campaign have evolved since then.

Brad Duncan from Rackspace writes:
"Although we first saw Nuclear EK from this campaign, during the past week or so, these admedia gates have led to Angler EK.

In the past 24 hours, I saw a Joomla site generate an admedia gate, so this campaign is no longer limited to WordPress sites."


HTML from an admedia-compromised Joomla website

On Wednesday 2016-02-17 at 18h UTC Brad started seeing a full chain of events from a compromised website, admedia gate to Angler EK (exploit kit) which delivered the Teslacrypt ransomware.

  • 178.62.122.211 - img.belayamorda.info - admedia gate
  • 185.46.11.113 - ssd.summerspellman.com - Angler EK
  • 192.185.39.64 - clothdiapersexpert.com - TeslaCrypt callback traffic


Traffic dump of admedia infection traffic

This is how a Windows desktop looks like after Angler EK delivered TeslaCrypt Windows desktop with TeslaCrypt

Sucuri reported that compromised websites were returning each .js file appended with malicious JavaScript code however as of today the deployment method has been upgraded. An HTTP GET request is sent to the admedia gate followed by an HTTP POST. The POST returns an even more obfuscated script which generates an URL for an Angler EK landing page.
From there it's a short way to ransomware infected machines (Angler EK flash).

Updated list of admedia gates:
  • img.sinyayamorda.info
  • img.chernayamorda.info
  • img.belayamorda.info
  • img.zelenayamorda.info
  • img.krasnayamorda.info


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »