Skip to main content

Part 2: Compromised WordPress Pages and Malware Campaigns

Medium
Published: Fri May 16 2025 (05/16/2025, 08:51:12 UTC)
Source: AlienVault OTX

Description

This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign targeted Korean-speaking users through fake investment chat rooms. The Strela Stealer targeted email clients in German-speaking countries, while the WeaXor ransomware, a revised version of Mallox, was also observed. The report details the infection chains, provides IOCs, and recommends blocking CIDR ranges associated with Proton66 and Chang Way Technologies to mitigate risks.

AI-Powered Analysis

AILast updated: 07/02/2025, 04:10:29 UTC

Technical Analysis

This threat analysis focuses on a series of malware campaigns linked to the Proton66 group, which primarily target Android devices via compromised WordPress websites. The attackers leverage redirector scripts embedded in these compromised sites to funnel unsuspecting visitors to malicious payloads that mimic legitimate services such as the Google Play Store, thereby increasing the likelihood of successful infection. The campaigns are multi-faceted, including the XWorm malware targeting Korean-speaking users through fake investment chat rooms, the Strela Stealer focusing on email clients predominantly in German-speaking countries, and the WeaXor ransomware, a newer iteration of the Mallox ransomware family. The infection chains typically begin with exploitation of vulnerable WordPress sites, which are widely used content management systems, making them attractive targets. The redirector scripts serve as an initial infection vector, directing victims to download malware disguised as legitimate applications. The XWorm campaign employs social engineering tactics tailored to Korean-speaking victims, leveraging fake investment chat rooms to distribute malware. Strela Stealer is designed to harvest credentials from email clients, posing a significant risk to confidentiality, especially in German-speaking regions where it has been observed. The WeaXor ransomware encrypts victim data, demanding ransom payments, and represents a direct threat to availability and data integrity. The report also highlights recommended mitigation strategies, including blocking CIDR IP ranges associated with Proton66 and Chang Way Technologies, which are linked to the infrastructure used in these campaigns. The campaigns utilize a variety of tactics, techniques, and procedures (TTPs) such as phishing (T1566), credential theft (T1552), persistence mechanisms (T1547), exploitation of public-facing applications (T1190), and execution of malicious scripts (T1059). This multi-vector approach increases the complexity and potential impact of the threat.

Potential Impact

For European organizations, this threat poses several significant risks. The use of compromised WordPress sites as infection vectors is particularly concerning given the widespread adoption of WordPress across Europe, including many corporate and governmental websites. The Strela Stealer's focus on German-speaking countries indicates a targeted effort to compromise email credentials, which could lead to unauthorized access to sensitive communications and data breaches. The presence of ransomware like WeaXor threatens operational continuity by encrypting critical data and demanding ransom payments, potentially causing financial losses and reputational damage. Furthermore, the phishing and social engineering components of these campaigns increase the likelihood of successful infections, especially in organizations with less mature cybersecurity awareness programs. The targeting of Android devices expands the attack surface, as mobile devices are often less protected and used for both personal and professional purposes. This could facilitate lateral movement within networks or exfiltration of sensitive information. Overall, the threat could disrupt business operations, compromise confidential data, and impose significant recovery costs on affected European entities.

Mitigation Recommendations

European organizations should implement a multi-layered defense strategy tailored to the specific tactics observed in these campaigns: 1. Harden WordPress Installations: Regularly update WordPress core, plugins, and themes to patch known vulnerabilities. Employ security plugins that monitor for unauthorized changes and block malicious scripts. 2. Network Controls: Block CIDR ranges associated with Proton66 and Chang Way Technologies at the firewall and intrusion prevention system (IPS) levels to disrupt command and control (C2) communications. 3. Email Security: Deploy advanced email filtering solutions to detect and quarantine phishing attempts, especially those mimicking investment opportunities or other social engineering lures. 4. Endpoint Protection: Use mobile device management (MDM) solutions to enforce security policies on Android devices, including restricting installation of apps from untrusted sources and enabling real-time malware scanning. 5. User Awareness Training: Conduct targeted training focusing on recognizing phishing campaigns, suspicious redirects, and the risks of installing applications from unofficial sources. 6. Incident Response Preparedness: Develop and regularly test incident response plans that include procedures for ransomware containment and recovery, credential theft incidents, and malware eradication. 7. Credential Hygiene: Enforce multi-factor authentication (MFA) across email and critical systems to mitigate the impact of stolen credentials. 8. Monitoring and Threat Intelligence: Continuously monitor network traffic and logs for indicators of compromise (IOCs) related to Proton66 campaigns and integrate threat intelligence feeds to stay updated on emerging tactics.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/proton66-part-2-compromised-wordpress-pages-and-malware-campaigns/"]
Adversary

Indicators of Compromise

Hash

ValueDescriptionCopy
hash0cb49433d809d0738efbd0d6e6503e07
hash3f39ad87cdaa2cc3008ed7c9ecd71cfe
hash47c4054cc953fd522b684fc5890c435c
hash4c74caa9c0eeb2c7637da9bbde9535d7
hash7f8b7e1869410ed52db910b107b41306
hash981073dbfb524b68c4602ccdd301a543
hash99fe3fa20b470b2f634fd609a1921c77
hasha087e994db776a0c657e45d315851186
hasha3c0caca7cb6667a9feb37442da3d322
hasha74ee50d2f91f77f010ecb154aa6b30b
hashaf2fe7b209912ec3a345fd8169fde338
hash18f7fbc6f67def0d1357f079c3424ff16657e08f
hash311430643672431045288a21fc6c666f09359bbf
hash61bff81cd5475552c73e0745d629b9265b84cb8c
hash776e7064d6f340044ad6e275dda1479ec12c0ffa
hash90138ac54f4002803b7a88137da5ed2c5e46460c
hasha10d8e59c8ea698349c073df06d509e958cd3333
hashb4d09f9cea1a6c6d19f1ad3782e613a61f77c0e8
hashc7207893a06a56f8f682e33fd32dc04700885317
hashd16df3e7ad37dea197fcba1b1cbeeae1a76fb988
hashf461f2a79b37c9f56d420633eaf69999d4e4c2d1
hashfef6c84b1fd15f6e8c3a867dabf60a14d477f246
hash2d2bc95183f58a5e7fe9997b092120d6bfa18ed7ccb4f70b1af1b066ea16a1c3
hash40b75aa3c781f89d55ebff1784ff7419083210e01379bea4f5ef7e05a8609c38
hash4db2fa8e019cf499b8e08e7d036b68926309905eb1d6bb3d5466e551ac8d052e
hash7d1de2f4ab7c35b53154dc490ad3e7ad19ff04cfaa10b1828beba1ffadbaf1ab
hash7f2319f4e340b3877e34d5a06e09365f6356de5706e7a78e367934b8a58ed0e7
hash91811e7a269be50ad03632e66a4a6e6b17b5b9b6d043b5ac5da16d5021de8ddb
hash956934581dfdba96d69b77b14f6ab3228705862b2bd189cd98d6bfb9565d9570
hash99016e8ca8a72da67264019970ab831064ecc1f10591c90ea3a2e1db530188ee
hash9b93daf047b9010bf4e87ca71ae5aefae660820833c15877a9105215af0745cd
hasha2f0e6f9c5058085eac1c9e7a8b2060b38fd8dbdcba2981283a5e224f346e147
hashd682d5afbbbd9689d5f30db8576b02962af3c733bd01b8f220ff344a9c00abfd
hashe55b6664c77a9f3a98b32f46a20c2e392dcc7f1717fb69447e4e4229c7b6985d
hashe780d314ae6f9bf9d227df004a3c19ab7f3042e583d333f12022ef777ba9600a

Ip

ValueDescriptionCopy
ip193.143.1.139
ip193.143.1.205
ip45.93.20.58
ip91.212.166.146
ip91.212.166.16
ip91.212.166.86

Url

ValueDescriptionCopy
urlhttp://193.143.1.139/Ujdu8jjooue/biweax.php
urlhttp://193.143.1.139/Ujdu8jjooue/biweax.php.
urlhttp://91.212.166.86/htdocs.zip.
urlhttp://my-tasjeel-ae.com/droid.js
urlhttp://my-tasjeel-ae.com/getfr.js
urlhttp://my-tasjeel-ae.com/getid.js
urlhttp://updatestore-spain.com/new/landing
urlhttp://www-kodi.com/download.php
urlhttp://www-kodi.com/droid.js
urlhttp://www-kodi.com/getfr.js
urlhttp://www-kodi.com/getgr.js
urlhttp://www-kodi.com/getupd.js
urlhttp://www-wpx.net/assets/core.js
urlhttp://www-wpx.net/kodi-21.1-Omega-x64.msi

Domain

ValueDescriptionCopy
domainplaystore-fr.com
domainplaystore-spain.com
domainplaystores-france.com
domainplaystors-france.com
domainplaystors-gr.com
domainspain-playmarket.com
domainspain-playstores.com
domainupdatestore-spain.com
domainus-playmarket.com
domainweaxorpemwzoxg5cdvvfd77p3qczkxqii37ww4foo2n4jcft3mytbpyd.onion
domainwww-kodi.com
domainwww-wpx.net

Threat ID: 682c992c7960f6956616a2b7

Added to database: 5/20/2025, 3:01:00 PM

Last enriched: 7/2/2025, 4:10:29 AM

Last updated: 8/18/2025, 1:43:49 PM

Views: 19

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats