Several compromised WordPress and Joomla sites serve Shade ransomware and backdoors

• The core reason for the compromise of Wordpress and Joomla sites could be unpatched vulnerabilities and outdated plugins, themes, or extensions.
• Attackers are leveraging a well-known hidden directory present on the HTTPS site for storing and distributing Shade ransomware and phishing pages.

What is the issue - Researchers from ThreatLabZ have detected several compromised Content Management Sites (CMS) such as WordPress and Joomla that were serving Shade ransomware, backdoors, redirectors, and a variety of phishing pages.

Why it matters - Attackers are compromising CMS sites and are injecting malicious content.

Worth noting - The core reason for the compromise of Wordpress and Joomla sites could be unpatched vulnerabilities and outdated plugins, themes, and extensions.

Researchers noted that the compromised Wordpress sites are using versions 4.8.9 to 5.1.1 and are most likely to be using outdated CMS themes or server-side software.

The big picture

ThreatLabZ monitored the compromised HTTPS sites and noticed that attackers are leveraging a well-known hidden directory present on the HTTPS site for storing and distributing Shade ransomware and phishing pages.

“The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain,” researchers described.

• The certificate authority will send a specific code for an HTML website that must be located in this particular directory.
• The CA will then scan for this code to validate the domain.
• Attackers use these locations to hide malware and phishing pages.

The technique is very effective because this directory is already present on most HTTPS sites and is hidden.

How attackers distribute the Shade ransomware?

• Attackers distribute Shade ransomware via malspam phishing campaign.
• The phishing emails disguised as an order update purport to come from a Russian organization.
• The emails include a ZIP attachment or a link to an HTML redirector page which downloads the ZIP file.
• The ZIP file contains a highly obfuscated JavaScript file.
• The JavaScript attempts to download and execute the Shade ransomware.

Which phishing pages are propogated?

Researchers detected spoofed phishing pages related to Office 365, Microsoft, DHL, Dropbox, Bank of America, Yahoo, Gmail, etc hosted in the SSL-validated hidden directories.