Content management system Joomla is the latest victim of a string of spam campaigns with the primary target being their Jmail service. Attackers first exploit CVE-2015-8562, an old Joomla Object Injection Remote Code Execution. Then, a malicious base64 PHP string is injected in the User-Agent field in HTTP requests. After being decoded to be able to run on its target system, files are downloaded from Pastebin. One of the downloaded files that serve functions such as sending emails and uploading files overrides Jmail. It is now used as the base for the attacker to perform file uploading actions as well as phishing and scamming. An attacker by the name of Alarg53 is believed to be behind the attack, and he is no stranger to this type of activity, with reports stating he has hacked over 15,000 websites.
Analyst Notes
At this moment there is not a specific remedy for this issue. Users of Joomla should stick to making sure it is constantly updated in the case that a patch is released.
