Joomla now a target of Admedia ransomware
by Nikola Strahija on February 22nd, 2016 ISC posted that the group behind the WordPress admedia ransomware campaign is now attacking Joomla-based websites.
Earlier this month Sucuri blog reported a spike in compromised WordPress websites which were generating hidden iframes. A common string within these malicious URLs was "admedia". These malicious URLs act as a gate between the compromised website and the EK server (Exploit Kit server). While the EK traffic associated with this campaign generally sent TeslaCrypt ransomware, the attacked websites were all ran on WordPress.However, attack and deployment vectors of this ransomware campaign have evolved since then.
Brad Duncan from Rackspace writes:
"Although we first saw Nuclear EK from this campaign, during the past week or so, these admedia gates have led to Angler EK.
In the past 24 hours, I saw a Joomla site generate an admedia gate, so this campaign is no longer limited to WordPress sites."
On Wednesday 2016-02-17 at 18h UTC Brad started seeing a full chain of events from a compromised website, admedia gate to Angler EK (exploit kit) which delivered the Teslacrypt ransomware.
- 178.62.122.211 - img.belayamorda.info - admedia gate
- 185.46.11.113 - ssd.summerspellman.com - Angler EK
- 192.185.39.64 - clothdiapersexpert.com - TeslaCrypt callback traffic

This is how a Windows desktop looks like after Angler EK delivered TeslaCrypt

Sucuri reported that compromised websites were returning each .js file appended with malicious JavaScript code however as of today the deployment method has been upgraded. An HTTP GET request is sent to the admedia gate followed by an HTTP POST. The POST returns an even more obfuscated script which generates an URL for an Angler EK landing page.
From there it's a short way to ransomware infected machines (Angler EK flash).
Updated list of admedia gates:
- img.sinyayamorda.info
- img.chernayamorda.info
- img.belayamorda.info
- img.zelenayamorda.info
- img.krasnayamorda.info