Fake Pirate Bay site pushes banking Trojan to WordPress users
Pirated pirate site springs 'You've been iFramed' drive-by surprise
Multiple WordPress sites are being redirected to a Pirate Bay copycat which in turn was being used to sling malware, anti-malware firm Malwarebytes warns.
Several WordPress sites were injected with the same iframe over the last few days as part of an attack ultimately geared towards serving content from sites such as thepiratebay(dot)in(dot)ua. This is not the officially maintained Pirate Bay mirror site, but rather a clone set up through The Open Bay project by hackers rather than file sharers.
The iFrame pointing towards this site might have been established to run a click fraud scam of some sort by a rogue advertising affiliate. However in this instance the problem is worse than that: The Pirate Bay clone is actively pushing the Nuclear exploit kit with an iframe ultimately designed to infect vulnerable surfers.
More specifically, the Nuclear EK landing page is loaded with a Flash exploit (CVE-2015-0311) designed to push a banking Trojan onto Windows machines that stray into its path. Anyone who visits one of the compromised WordPress sites with an outdated Flash Player can get infected.
Searches on the portal return no result at the moment, but the error message is darkly appropriate: “404 sh*t happens”.
Web security firm Sucuri last year exposed a massive campaign of WordPress compromises dubbed “SoakSoak", which took advantage of a RevSlider vulnerability. The clone Pirate Bay attack is running the same trick.
"It’s possible this latest wave of attacks is somehow connected with the 'SoakSoak' campaign and its authors, although it is too early to tell at this point," said Jérôme Segura, senior security researcher at Malwarebytes. "To avoid getting their sites hacked, WordPress users need to check that they are running the latest WP install and that all their plug-ins are up to date." ®