Crooks are utilizing hidden “well-known” directories of HTTPS sites running WordPress and Joomla websites to store and serve malicious payloads.
Hacked websites were used for several malicious purposes, experts observed compromised WordPress and Joomla websites serving Shade/Troldesh ransomware, coin miners, backdoors, and some times were involved in phishing campaigns.
WordPress sites compromised by hackers were running versions 4.8.9 to 5.1.1 of the popular CMS that are affected by a cross-site request forgery (CSRF) flaw that resides in the comment section of WordPress that is enabled by
An attacker can hack a website running a vulnerable version of WordPress that has comments enabled by tricking an administrator of a target site into visiting a website set up by the attacker.
According to the experts, the
“We have been monitoring the compromised HTTPS sites for a few weeks and have noticed that attackers are favoring a well-known hidden directory present on the HTTPS website for storing and distributing Shade ransomware and phishing pages.” reads the analysis from Zscaler.
“The hidden /.well-known/ directory in a website is a URI prefix for well-known locations defined by IETF and commonly used to demonstrate ownership of a domain. The administrators of HTTPS websites that use ACME to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ directories to show the certificate authority (CA) that they control the domain.”
Threat actors abused a well-known hidden directory in the HTTPS sites for storing the malware. The directory is a URI prefix for well-known locations defined by IETF and used to demonstrate the ownership of a domain.
Administrators of HTTPS websites using ACME to manage SSL certificates place a unique token inside the folder, to show the CA that the domain is under their control. The CA scans this folder for a code that was previously sent to the administrator.
“The attackers use these locations to hide malware and phishing pages from the administrators. The tactic is effective because this directory is already present on most HTTPS sites and is hidden, which increases the life of the malicious/phishing content on the compromised site,” continues Zscaler
The following graph shows different types of threats that were distributed with this approach, the Shade
Compromises websites delivering the Shade/Troldesh
HTML files are used to redirect victims to download ZIP files (
reso.zip, rolf.zip, and
The variant of Shade/Troldesh ransomware involved in the attack uses a TOR client to connect to the C2 and encrypts both the content and name of targeted files.
Attackers used phishing pages related to several popular services and brands, such as Office 365, Microsoft, DHL, Dropbox, Bank of America, Yahoo, Gmail, and other brands, the security researchers say.
Further technical details are, including Indicators of Compromise, are reported in the analysis.