The compromised websites didn’t share the identical weak WordPress model or plugin, suggesting that the attackers could also be exploiting weak credentials or utilizing exploits for a number of vulnerabilities.
New payloads
The DoubleDonut Loader was noticed delivering a brand new variant of Vidar Stealer, a widely known infostealer, that makes use of a lifeless drop resolver method to retrieve its command-and-control configuration and dynamic API decision.
Along with Vidar, two beforehand undocumented infostealers have been noticed, one written in .NET and one in C++. Rapid7 has named these new packages Impure Stealer and VodkaStealer and each use detection evasion strategies, together with non-standard knowledge encoding and symmetric encryption for command-and-control communications or sandbox surroundings detection utilizing system and time-based checks.
