A couple of weeks ago we blogged about an attack against WordPress sites initially discovered by Denis Sinegubko over at Sucuri. The campaign is still going on but quickly evolved, as reported by DeepEnd Research, with a change in its URL pattern from “/admedia/” to “/megaadvertize/”.
According to our honeypot data, this change happened around Feb. 4th and has been active as it ever since. Besides some pattern changes in the URL, the redirection mechanism is different from the initial campaign as well as its payload. Indeed the Admedia campaign was pushing the Nuclear exploit kit whereas this one is delivering Angler.
