We have discovered a new variant of PHP malware used to edit a cPanel users’s shadow file, allowing for bad actors to change passwords for all of the email accounts under that cPanel user.
In our past blog post, we analyzed this file’s abilities to modify email accounts. Today, we’ll focus on the new additions made to this variant.
At first glance, the code is not human readable. This is due to some layers of obfuscation, with the most obvious being that the majority of the code is encoded in base64.
The second layer of obfuscation becomes more apparent after decoding the base64 text from the _$X variable:
It looks like the malicious user decided to use a type of simple substitution cipher to further obfuscate the code, making it more difficult to detect.
To decode this simple substitution cipher, we used the following PHP:
$_X=base64_decode($_X); $_X=strtr($_X,'123456aouie','aouie123456'); $_R=preg_replace('__FILE__',"'".$_F."'",$_X);eval($_R);
This snippet first decodes the base64 string from _$X, then uses the strtr PHP function to substitute and replace characters in the decoded text based on the following table:
A prime example of this functionality would be the PHP variable used to store the values of common email ports:
After fully deobfuscating the malware’s code, it looks very similar to the previous variants—with the exception that this new version contains an uploader. This uploader is triggered whenever a _$GET request is sent with the defined string ?vvebos=olux.
Loading this malware file in a browser displays the following result:
As expected, the malware lists the email account(s) and their new password values, along with some helpful port scanning data for the malicious user. Bad actors can use this information to connect to the email accounts via the Webmail browser interface available on most cPanel hosting accounts. The default webmail ports are 2095 (HTTP) and 2096 (HTTPS) (e.g hxxp://domain.com:2095 or hxxps://domain.com:2096).