Full Report
Earlier this year SpiderLabs observed an increase in mass scanning, credential brute forcing, and exploitation attempts originating from Proton66 ASN targeting organizations worldwide that we are discussing in a two-part series.
Analysis Summary
This article describes observations related to several distinct malware campaigns and compromises found by Trustwave SpiderLabs, rather than a single continuous incident. Therefore, the timeline will reflect the general scope of the observed malicious activities detailed in the IOCs provided.
# Incident Report: Multiple Observed Malware Campaigns and WordPress Compromises
## Executive Summary
Analysis revealed multiple concurrent malicious activities, including campaigns distributing malware targeting Android devices, an XWorm campaign targeting Korean users, and the presence of WeaXor Ransomware indicators (C2 infrastructure). Additionally, several organizations were found to have compromised WordPress websites hosting malicious content. The primary impact involves potential data theft, system takeover via ransomware, and the distribution of malware via compromised web properties.
## Incident Details
- Discovery Date: Not explicitly stated, inferred from report publication/analysis.
- Incident Date: Ongoing/Multiple occurrences based on IOCs provided.
- Affected Organization: Various, including entities using compromised WordPress sites (e.g., competitivewindscreens.com.au, www.cbua.es, mikkiwaxbar.co.uk).
- Sector: Mixed (Implied; ranges from general business to specific targeted regions).
- Geography: Mixed (Android campaign observed globally, XWorm targets Korean users, Compromised Wordpress sites geographically dispersed).
## Timeline of Events
*Note: Since this is a summary of observed IOCs rather than a specific organizational IR case, the timeline reflects the reported activities collectively.*
### Initial Access
- Date/Time: Unknown/Ongoing activity.
- Vector: Exploitation of publicly accessible web applications (WordPress) and possibly compromised distribution channels for Android malware.
- Details: Compromised WordPress sites suggest web application exploitation or plugin vulnerabilities were used to inject malicious code/redirects.
### Lateral Movement
- Details: Not specifically detailed for the WordPress compromises. For the XWorm campaign, the presence of C2 infrastructure suggests command and control was established post-infection.
### Data Exfiltration/Impact
- Details: The XWorm campaign suggests system compromise, while the WeaXor indicators point directly towards potential ransomware deployment and data encryption/exfiltration capabilities. The Android campaign likely aimed at stealing credentials or information via a compromised Info API token.
### Detection & Response
- **Detection:** Observation by Trustwave SpiderLabs through threat intelligence monitoring and analysis of indicators related to ongoing campaigns.
- **Response Action (Implied):** Publishing the IOCs to inform defenders and recommending mitigation strategies.
## Attack Methodology
- Initial Access: Web application exploits (WordPress).
- Persistence: Not explicitly detailed, but typical for malware campaigns.
- Privilege Escalation: Not explicitly detailed.
- Defense Evasion: Implicit in the delivery of malware payloads (XWorm, WeaXor).
- Credential Access: Likely via XWorm or Android targeting.
- Discovery: Not explicitly detailed.
- Lateral Movement: Not explicitly detailed.
- Collection: Gathering configuration data or credentials (Android campaign).
- Exfiltration: Implied via C2 for XWorm and WeaXor.
- Impact: Ransomware encryption (WeaXor), potential theft of user data/credentials (Android).
## Impact Assessment
- Financial: Unknown, but potential costs associated with ransomware recovery and investigating numerous compromised websites.
- Data Breach: Potential exposure of user data from affected websites or PII/credentials from device compromises (Android/XWorm).
- Operational: Operational disruption for organizations whose WordPress sites were used for hosting, and potential disruption for organizations hit by WeaXor ransomware.
- Reputational: Negative impact on the domain owners of the compromised websites.
## Indicators of Compromise
- **Network indicators (Defanged):**
- IP: 91.212.166.86, 91.212.166.16, 193.143.1.139
- **File indicators (Sample SHA256 Hashes):**
- 91811e7a269be50ad03632e66a4a6e6b17b5b9b6d043b5ac5da16d5021de8ddb
- 4db2fa8e019cf499b8e08e7d036b68926309905eb1d6bb3d5466e551ac8d052e
- 956934581dfdba96d69b77b14f6ab3228705862b2bd189cd98d6bfb9565d9570
- a2f0e6f9c5058085eac1c9e7a8b2060b38fd8dbdcba2981283a5e224f346e147
- 7d1de2f4ab7c35b53154dc490ad3e7ad19ff04cfaa10b1828beba1ffadbaf1ab
- d682d5afbbbd9689d5f30db8576b02962af3c733bd01b8f220ff344a9c00abfd
- 40b75aa3c781f89d55ebff1784ff7419083210e01379bea4f5ef7e05a8609c38
- 7f2319f4e340b3877e34d5a06e09365f6356de5706e7a78e367934b8a58ed0e7
- **Behavioral indicators:**
- Use of specific domains for payload delivery (e.g., *wpx.net*).
- Compromised sites redirecting or hosting malicious files.
- Use of generic filenames (*htdocs.zip*, *DLLl.txt*, *base64.txt*).
- Presence of Onion service C2 infrastructure (*weaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion*).
## Response Actions
- **Containment:** Organizations must immediately block all observed IPs and domains associated with these campaigns at the firewall and proxy layers.
- **Eradication:** Delete malicious files and web shells from compromised WordPress instances. Remove redirects or malicious content from the compromised websites.
- **Recovery:** Restore WordPress sites from known clean backups, potentially requiring a full compromise investigation if the initial entry vector is unknown.
## Lessons Learned
- **Web Application Security:** Relying on outdated or poorly configured CMS platforms (like WordPress) remains a significant entry point for attackers looking to host malware or launch further attacks.
- **Threat Diversity:** Defenders must prepare for multiple, concurrent threat types (ransomware, banking trojans/info stealers, web compromise) utilizing disparate infrastructure.
- **Contextual Monitoring:** Monitoring regional activity (e.g., Korean activity for XWorm) is crucial as threat actors localize their targeting efforts.
## Recommendations
- Immediately patch and update all WordPress installations, themes, and plugins to mitigate common exploitation vectors.
- Implement robust Web Application Firewalls (WAFs) with specific rules targeting known CMS vulnerabilities.
- Enhance endpoint detection and response (EDR) capabilities to detect suspicious file execution related to the observed malware hashes and behaviors.
- Regularly scan websites for unauthorized file modifications and backdoor implants.