Denis Sinegubko is a researcher at digital security firm Sucuri who uncovered a WordPress iFrame infection. Over the past weekend he reported, “… a spike in WordPress infections where hackers injected encrypted code at the end of all legitimate .js files.”

According to Sinegubko:

The distinguishing features of this malware are:

  1. 32 hex digit comments at the beginning and end of the malicious code. E.g. /*e8def60c62ec31519121bfdb43fa078f*/ This comment is unique on every infected site. Most likely an MD5 hash based on the domain name.
  2. The first comment is immediately followed by  ;window[“\x64\x6f…. and a long array of string constants in their hexadecimal representation.
  3. It always ends with “.join(\”\”);”));

WordPress iFrame Infection attacks Admedia

Sinegubko published:

The URL of the iFrames is the only changing part of the code.

  • hxxp://template.poln1uewt1aniwki[.]ws/admedia/?id=8695834&keyword=85c86e3646fb1b15c0bc0647c257c029&ad_id=Twiue123
  • hxxp://js.polnue2wtani2wki[.]ws/admedia/?id=8695834&keyword=396f3d9d490aed315d71b60ec1efda53&ad_id=Twiue123
  • hxxp://get.malenkiuniger[.]net/admedia/?id=8695834&keyword=8580b2135c1fdc0c650156eb174b4985&ad_id=Twiue123
  • hxxp://track.findyourwaytotr[.]net/admedia/?id=8695834&keyword=46731f99a65ceac12e0632d08e551ca5&ad_id=Twiue123
  • hxxp://img.oduvanchiksawa[.]biz/adverting/?id=5345896&keyword=fd2f2243cd2046d674aeec495cd2e74b&uyijo=86tyh978

Sinegubko went on to say that:

It is worth mentioning that all the malicious domains and subdomains point to servers to Digital Ocean’s network:  46.101.84.214178.62.37.217178.62.37.131, 178.62.90.65

It’s not common to see malware hosted there, so it’s not a surprise to see Google listing only domains related to this attack as examples of known dangerous site on the AS202109 (DIGITALOCEAN-ASN-2) network.

Read the rest of the article here: https://blog.sucuri.net/2016/02/massive-admedia-iframe-javascript-infection.html