The cybergang behind the ongoing WordPress malvertising campaign is now targeting Joomla sites.
The cybergang behind the ongoing WordPress malvertising campaign is now targeting Joomla sites.

Malwarebytes has closely examined a relatively new fake update scam that uses a combination of legitimate websites, a real cloud storage site and excellent social engineering to pass along either a banking Trojan and remote access tool to its victims.

The “fake updates campaign” was first spotted in December 2017 and has started to grow in popularity among malicious actors, wrote Malwarebytes' Jerome Segura, lead malware intelligence analyst. Essentially, websites using outdated versions of the content management systems Joomla and WordPress are targeted by malicious actors who use them to place their fake update.

The fake updates are for Chrome, Firefox and Internet Explorer. The affected Joomla and WordPress sites are overlayed with a pop up saying the site is out of date and needs to be updated and then using a realistic looking Windows prompt it asks for the victim to “save” the update.

However, instead of an update, Segura said the script is downloaded from a Dropbox file: “This campaign relies on a delivery mechanism that leverages social engineering and abuses a legitimate file hosting service. The ‘bait' file consists of a script rather than a malicious executable, giving the attackers the flexibility to develop interesting obfuscation and fingerprinting techniques,” Segura said.

What comes in from Dropbox is the ZeusVM variant Chtonic banking malware or a NetSupport Remote Access Tool. Each download is heavily obfuscated.

Malwarebytes was able to definitively spot several hundred compromised WordPress and Joomla sites and speculated the number affected could range into the thousands.