WordPress sites compromised to redirect to Pirate Bay clone, exploit kit

Malwarebytes researchers have spotted another malware delivery campaign that uses compromised WordPress sites to redirect users to a page hosting an exploit kit.

The total number of compromised sites is still unknown, as is the method of compromise, but it’s more than likely that the attackers have exploited a vulnerability in the popular CMS or some plugin.

What is known is that the sites are injected with the same iframe, which redirects users to a site located at thepiratebay.in.ua:

The site is not the official Pirate Bay site, but a clone made possible by the The Open Bay initiative (they are not behind these malware-peddling scheme).

The clone has also been equipped with an iFrame that redirects users to a site hosting the Nuclear exploit kit. The kit attempts to exploit a Flash Player vulnerability (CVE-2015-0311) that affects version 16.0.0.287 and under.

If it succeeds, it downloads a banking Trojan that phones back to its C&C server ar usabrent.ru.

Users can keep safe from this attack by updating their Flash Player to the latest version, or by using an up-to-date AV solution.

Admins of WordPress site can mitigate the risk of this kind of site hijacking and compromise by regularly updating their WP install and the plugins the use.

“Other proper hygiene tips such as strong passwords and avoiding public WiFi when logging into your site should also be applied,” advises Malwarebytes’ Jerome Segura.