The Internet Storm Center (ISC) has spotted 'admedia attacks' breaking out of their original WordPress vectors.

According to a post late last week, the ISC (courtesy of author Brad Duncan) posted that “the group behind the WordPress 'admedia' campaign” is now attacking Joomla-hosted sites.

The other evolution in the campaign, Duncan notes, is that since it was first noticed at the beginning of this month mostly dropping the Nuclear exploit kit on target sites, it's now added Angler.

Duncan, who is also a security researcher at Rackspace, also notes that the attackers have started using “megaadvertize” in their gateway URLs (instead of “admedia” as was used when the attack was first spotted).

The technique, however, stays the same: the target site is compromised to generate hidden iframes in visitors' browsers, and the malicious URLs act as a “gate between the compromised Website and the EK [exploit kit – The Register] server”.

The overall process, however, remains the same. For example:

178.62.122.211 - img.belayamorda.info - admedia gate;

185.46.11.113 - ssd.summerspellman.com - Angler EK

192.185.39.64 - clothdiapersexpert.com - TeslaCrypt callback traffic

As before, Duncan writes, a script injection was the initial attack, with the JavaScript files from the compromised site carrying appended malicious scripts. From there it's a short walk to ransomware hell. ®