Media Temple injections lead to Phoenix Exploit Kit

Websense® Security Labs™ ThreatSeeker™ Network has discovered that over 100 Web sites on the Media Temple Web host servers have been compromised, and will lead visitors to the Phoenix Exploit Kit. It's not the first time they have had a WordPress injection, but a quick investigation suggests that only 46% of these sites have WordPress installed, and Sucuri Scanner reveals that they do have multiple vulnerabilities. So what happened to the other sites? They don't have WordPress installed but have still been compromised; why? According to the statement from Media Temple, neither Media Temple’s architecture nor the up-to-date versions of WordPress is the source of these compromises. Some insecure 3rd-party software applications installed on customer servers are the root cause, which has been verified by Sucuri.

All the injections are designed to only work on JavaScript files as shown below, and are obfuscated to evade detection.

After deobfuscation, we got a simple algorithm to generate malicious URLs. We generated 64 URLs which are all already covered by Websense. Now we go to check those generated URLs, and find there are 2 different scripts. One is very simple with an anti-bot trick so it won't be crawled by search engines. Unfortunately the payload site it redirects to is now down. 

The other is highly obfuscated, and finally redirects to an exploit kit called Phoenix. 

The Phoenix Exploit Kit is a sophisticated hacker tool set that exploits several of the latest vulnerabilities on popular vectors to execute arbitrary code.

Websense TRITON Advanced Classification Engine(ACE) is protecting customers against this attack. We will keep track of it and provide updates when it changes.