Researchers at Zscaler have identified an Adwind campaign that is currently distributed over compromised WordPress sites. Binary Defense threat researchers have detected compromised WordPress sites used as part of the infection chain to distribute multiple malware families including Emotet, Qakbot, Trickbot and others. Compromised sites used as webhosting have become prolific in recent days. Threat actors prefer using long-established websites that do not have a negative reputation or appear on any blacklists to distribute malware because those sites are not likely to be blocked by corporate security filters. It is much harder for security teams to detect malicious network traffic when it comes from websites that are known and trusted. Once the compromised site becomes known for hosting malware and is blocked by security products, the attackers simply move on to the next compromised site. Because there are over 60 million WordPress sites and many vulnerable plug-ins, it makes an attractive target for attackers.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased