Researchers from MalwareBytes have uncovered a malware campaign that has compromised thousands of websites running popular content management systems (CMS) such as WordPress, Joomla or Squarespace.
The campaign appears to have started in December of 2017 and has been gaining steam by adding more compromised sites according to the MalwareBytes report.
Once the hackers infect the unpatched CMS websites with malicious code, they then rely on social engineering to trick website visitors into clicking on a fake update notification message and install “updates” for Chrome or Firefox. In another case, the notifications will prompt user to install an Adobe Flash patch if running Internet Explorer. The fake message instead downloads malware to the victim computer.
Examples of malware examined in the report include Chtonic banking malware (a variant of ZeusVM) and NetSupport Remote Access Tool (RAT) that can be used as a backdoor.
CMS site admins are strongly encouraged to keep their websites up to date and patched at all times to help prevent future malicious code infections.