Light Dark
February 8, 2016 By Larry Loeb 2 min read

Three security research firms have noted a recent spike in TeslaCrypt ransomware over the last week. Experts believe the rise has been facilitated by the WordPress content management system (CMS).

The Ad Is the Poison

According to Ars Technica, the attack silently redirects visitors from original sites to malicious ones. The malicious sites host code from the Nuclear exploit kit (EK), while the WordPress sites are injected with large amounts of code that perform a silent redirection to domains displaying host ads. But this is only a diversion: Those ads are stuffed with more code that sends visitors to the true destination, the Nuclear EK.

If the visitors have out-of-date, unpatched versions of Adobe Flash Player, Adobe Reader, Microsoft Silverlight or Internet Explorer, they put themselves at risk for infection by the TeslaCrypt ransomware. This malware encrypts user files and then demands ransom for their decryption key.

Distinguishing Features

Security firm Sucuri noted that there were distinguishing features of the malware, including the fact that it had 32 hex-digit strings at the beginning and end of the code. Similarly, once the code has been decrypted it always looks the same.

Interestingly, the malware only infects first-time visitors to the infected site. Ars Technica noted that it may exhibit this sort of behavior in order to throw off security researchers, while Sucuri made sure to mention the invisible iframes installed as part of this process.

The URLs of the invisible iframe all use third-level domains and have “Admedia” or “advertizing” in the path. All the malicious domains and subdomains point to servers on Digital Ocean’s network: 46.101.84.214, 178.62.37.217, 178.62.37.131 and 178.62.90.65.

TeslaCrypt Ransomware Opens Backdoors

TeslaCrypt also uploads multiple backdoors into various locations on the affected Web server and frequently updates the injected code. That means it reinfects all the JavaScript files it can access using cross-site contamination as the method. A webmaster will have to sanitize all the sites on the server at the same time, not just the obviously affected ones, to truly clear out the infection.

Unless the TeslaCrypt problem is resolved, users — and site owners, in particular — should ensure that they are using unique passwords and have the latest versions of patched products.

 |  |  |  |  |  | 
Larry Loeb
Principal, PBC Enterprises

More from

May 7, 2024

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

May 6, 2024

Evolving red teaming for AI environments

2 min read - As AI becomes more ingrained in businesses and daily life, the importance of security grows more paramount. In fact, according to the IBM Institute for Business Value, 96% of executives say adopting generative AI (GenAI) makes a security breach likely in their organization in the next three years. Whether it’s a model performing unintended actions, generating misleading or harmful responses or revealing sensitive information, in the AI era security can no longer be an afterthought to innovation.AI red teaming is emerging…

May 3, 2024

What we can learn from the best collegiate cyber defenders

3 min read - This year marked the 19th season of the National Collegiate Cyber Defense Competition (NCCDC). For those unfamiliar, CCDC is a competition that puts student teams in charge of managing IT for a fictitious company as the network is undergoing a fundamental transformation. This year the challenge involved a common scenario: a merger. Ten finalist teams were tasked with managing IT infrastructure during this migrational period and, as an added bonus, the networks were simultaneously attacked by a group of red…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature