WordPress was comprimised!

WordPress was comprimised by the Nuetrino Exploit Kit.

This exploit kit installs backdoors on WordPress sites running older versions of the content management system (4.2 and older). It then redirects the victim through a series of iFrames to a landing page hosting a Flash exploit.

The exploit targets users running Internet Explorer and the victims computers are infected with CryptoWall 3.0 ransomeware.

Researchers of the Nuetrino Exploit Kit have said that the IP of the landing page is 185[.]44[.]105[.]17 which is registered to a “Max Vlapet” in Moscow.

Moreover, researchers say the goal of the exploit kit was to harvest credentials and inject an iFrame to redirect users to the landing page. They also said that people who are not using IE should not get the malciious iFrame and those using IE will not get attacked over and over again due to a cookie that the attackers injected.

The CryptoWall ransomware has recently been used in a lot of 0-day exploits leading some to believe that an APT group is behind this attack.

Like other ransomware, CryptoWall 3.0 encrypts files on a compromised computer and demands a ransom to decrypt them, usually over $400 in Bitcoin. This particular piece of ransomware uses numerous channels to communicate stolen traffic to its keepers, including I2P and Tor anonymity networks.


WordPress remains a soft spot for hackers and attackers and the Nuetrino Exploit Kit is still active. More often than not, attackers will find and exploit vulnerabilities in plugins (Such as Java and Flash), however there have been occasions where the WordPress Core Engine was attacked.

Also, if you haven’t noticed, this webpage is running on the WordPress Core engine, which is why I made this blog post and is why this is relevant.



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s