A blog run by UK national newspaper The Independent has been affected by a widespread campaign designed to compromise WordPress sites in order to load the notorious Angler exploit kit.
Researchers at Trend Micro explained in a blog post on Tuesday that the compromised blog page had been redirecting users to pages hosting Angler EK.
If said user is not running an updated Adobe Flash Player the malware would exploit the bug CVE-2015-7645, beginning a download of the Cryptesla ransomware.
The Trend Micro team then discovered an additional infection chain where Angler EK loads Bedep malware—known for its heavy use of encryption, which can help it bypass security filters.
Bedep typically downloads notorious ransomware CryptoLocker—which charges as much as $499 for decryption.
“It’s hard to determine the exact reason behind adding Bedep to the infection chain but it’s highly possible that the cyber-criminals wanted to take advantage of the different features of the malware, which include information theft and backdoor capabilities,” the researchers claimed.
For its part The Independent revealed that an ad was to blame for the compromise, but argued that it was a rarely visited “legacy” site.
It’s now redirecting users to the main site, according to Trend Micro.
Trend Micro vice president of security research, Rik Ferguson, argued that the compromise was still a coup for the online extortionists.
“The Angler exploit kit is currently [a] very widespread and effective criminal toolkit and can be tailored to deliver any infection that the attacker desires,” he added.
“Trend Micro had already predicted a sharp growth in online extortion in 2016, with these kinds of attacks spreading into the world of commerce as well as individual users.”
The WordPress-Angler EK malware campaign was first spotted last month by researchers at Malwarebytes.
At that time, senior security researcher, Jérôme Segura, warned that Reader’s Digest had been compromised in the attacks.
Photo © Gil C / Shutterstock.com