Stars: 116
Forks: 38
Pull Requests: 0
Issues: 1
Watchers: 10
Last Updated: 2021-06-18 16:00:43
Deobfuscation and analysis of PHP malware captured by a WordPress honey pot
License:
Languages: PHP, HTML, Shell, Perl, JavaScript, Roff, C, Go, Hack, CSS
Rough cut analysis of PHP source code that I got via running a WordPress honey pot.
This illustrates what I think the bottom feeders who hack WordPress sites do, once they have illegitimate access to a new WordPress instance or host. It's not scientific in any way. I'm only decoding the pieces of malware that arrive at one honey pot, and I'm only decoding those pieces that seem interesting because of method of download, obfuscation or unique content. Oddities are over-represented because of that.
This collection of PHP malware, all found in the wild, fits into a number of categories:
Some combinations occur: web shells, particularly WSO, often get used as a backdoor (Php action, RC action). Access verification is a form of reconnaisance.
Recon sometimes just looks at what CMS/frameworks are present, but other times collects information about user ID, type and version of OS, file system hints, useful only for potential lateral moves. GetDomains recon seems like something of both, though.
It seems to me that there are "cross cutting" aspects of this kind of collection and analysis.
Code that checks compromised website files for fragments of PHP that indicate those files are probably malware. Renames, deletes or repairs suspect files, which probably renders most of them inoperative. Injects code into WSO web shells that adds a special cookie check as access control.
A PHP manager that downloads, runs, then deletes, a Python
program that downloads a list of domain names,
enumerates users of WordPress blogs on those domain names,
and tries to guess working passwords.
Guesses passwords using xmlrpc.php
calls, not through
the WordPress login page.
574 instances of an email spamming tool downloaded to 7 different types of web shell, followed by 559 attempts to send a test email through the spamming tool URLs. I propose a hypothetical design for this distributed system.
2019-11-01, captured a similar campaign
The most backdoored download I've ever seen. A WSO 2.1 web shell, with two phone-homes It also downloads the LeafMail mailing tool, and a WSO 2.6 web shell.
An instance of b374k Web Shell, which gets some code from EXIF data of a googleusercontent.com JPEG image.
Descendant of b374k web shell, probably v2.2
A FOPO-encoded WSO webshell that I hand-decoded because I didn't believe it was really FOPO-encoded. Arrived in the same campaign that delivered the K4X SHELL.
Medium-capability web shell downloaded along with login_wall fake plugin. May be related to c99 web shell.
Another autokey-encoded instance of the ring.php
web shell.
The obfuscation has changed, and this wasn't part of a login_wall
download.
gsptg.php
seems to try to convince web crawlers, spiders, search engines and bots
to come back often.
Ordinary humans probably continue to see the compromised WordPress site,
but it also sends users either referred by .kr domains,
or using Korean language in their browsers off to new URLs.
Downloaded via ring.php
A batch of malware received between 2017-11-23 and 2018-05-03 sharing a common method of encryption. The encryption appears to be from WSO 4.x series of web shells, but it has a much shorter key (8 vs 44 bytes). At least 52 different downloads, including 4 instances of mumblehard It's refreshing to see someone using non-trivial encryption.
Mumblehard botnet: a server that relays TCP/IP connections, and a persistent payload, executed by cron, that can download code from a command and control server, then start it running.
Downloaded via WSO 4.x, my honey pot caught an evolved mumblehard.
Examination of the 44 Mumblehard instances I caught, to see how the code and methods progress as time goes by.
A password-protected, plugin-extendable back door.
2019-05-09, I got a download of v3-01 of this backdoor. It has a lot of fun stuff in it.
A Quttera blog entry gives a non-specific description of these backdoors.
An object oriented dropper, descended from the procedurally-coded code-in-cookie back door's dropper. An attack on a real WSO would leave behind an Extendable back door v2.0-1.
Campaign that would have installed v1-01 extendable backdoors. The attackers tried to verify working WSO web shell targets before the installation.
Caught a second campaign on 2019-07-07
A backdoor that someone has tried to access over 1 million time on my web site alone. Pretty stupid in and of itself, but apparently an underground market for this backdoor exists.
A collection of malware masquerading as a plugin, that's under active development.
A trojaned version of a real, but horribly out-of-date, plugin named "Exec-PHP".
b374k has a link to download this moderately capable web shell from pastebin.
A fake-ish theme, complete with a WSO web shell that
phones home, and an earlier version of webroot.php
.
Another compromised WordPress theme, containing a seemingly random complement of malware.
A relative of webrot.php
, or sometimes known as "webrootv3".
More back shells than you can shake a stick at.
A moderately capable backdoor: saves and executes files, as well as immediate PHP eval. Uses native PHP RC4 encryption for password and data transfered.
A small, highly obfuscated immediate-eval backdoor. The first layer of obfuscation just might be polymorphic, redone every so often, or for every install.
Creates a .htaccess
file that redirects users to yourstockexpert.su,
googlebot, bingbot and Baiduspider get a 404.
Undoes any file name changes that an invocation of the Vigilante Malware Cleaner might make, too. That just seems weird, since ".suspected" file name complaints are around, but not overwhelming. Maybe inter-spamgang warfare?
A WSO 2.5 web shell heavily modified by adding code from various other hacking tools.
3.993 second WSO (Web Shell by oRb, a.k.a. "FilesMan") installation, only eight HTTP requests, including a cold WordPress login.
Novel, yet oddly obfuscated WSO 2.5, installed via apikey.php.
apikey.php
would have been installed via a plugin update with a malicious plugin,
so this isn't as circular as it could have been,
were apikey.php
installed via WSO instance.
Another WSO 2.5, edited a little, called 2.6 and packaged up in a dropper that probably doesn't work. Arrived about an hour after the Chinafans defacement attempt.
Preceding the WSO 2.5 webshell installation, someone from the same Chinese IP address tried to install a defacement.
All of the passwords my honey pots have ever seen used to login to WSO instances.
What getting hit by a web exploit tool looks like.
Hacking tools disguised as a plugin, implicating a Bangladeshi hacking crew.
Remote Admin Trojans for both WordPress and Joomla.
Apparently an attempt to direct Chinese web traffic to a Macau casino by means of link spamming. Aren't search engines too sophisticated for this to work?
Modifies all .asp, .aspx, .php and .jsp file that have an
assignment to a variable name remote_server
to assign "www.guanjianfalan.com"
to that variable.
Uploads of two Zip-format-files, one of which is WSO 2.5 with some camoflaging code. The other Zip file has an ELF-format executable and a small piece of PHP to run that executable in the background.
Seems to be some kind of search engine optimization thing. It serves up different results for "human" or "bot" invokers. When it decides you're a "bot" it asks a server for text to fill out template HTML. Failing that, it gets text from ask.com or yahoo.com
Dropper that leaves a PHP file behind, which in turn
injects PHP code into every theme's header.php
file.
If the theme injection determines that an access is from a "bot"
(basically every search engine that ever was, plus lots of
crawler libraries), it gets HTML from zalroews.pw to pass
back to the "bot".
A 12-access campaign to install a backdoor. Accesses from 12 different IP addresses within 20 seconds, attempting to download one of 2, individually-obfuscated backdoors.
12-request, approx 30 second campaign, installs 2 different malwares, variant WSO 2.5, and Leafmailer.
Native PHP SOCKS server. I often see Perl and even compiled ("bouncer") SOCKS servers downloaded. Can you sell SOCKS servers on some underground markets? Is there value in having a cut-out like this?
A short (11 second, 17 HTTP request) campaign that wanted to install Perl Simple SOCKS Server code, but failed, probably because my WSO emulation is not accurate enough.
Three attempts to install an email spamming tool, featuring attempts to invoke the tool 34 seconds later.
Two versions of something.
c99 web shell inside 10-12 levels of obfuscation.
Simple web shell, credits itself to an Indonesian URL.
A simple backdoor, with just enough features to allow a human to use it without too much automation. Use could easily be automated. May be kinked, in that it has a backdoor itself, if you know the magic HTTP parameter.
An email spam sent through a WSO web shell, dating to 2015. Contains a vigilante cookie
Email spamming tool, explodes a single POST request into multiple emails. Has "check" function that looks up compromised machine's IP address in various email black lists.
Simple, reasonably carefully coded remailer.
Another small, carefully coded remailer.
WSO "Web Shell by oRb", downloaded by a previously-installed instance of WSO.
An email spamming tool, with WSO web shell appended. Complete with "phone home" code to notify a Ukrainian web site that someone invoked the program.
Knows how to recognize 24 different CMS systems and frameworks. Responds to an HTTP POST with a serialized summary of what CMS and framework(s) it found.
Full-featured, Chinese language web shell, with a modern webapp look to it.
Redirects mobile phone browsers to some other URL via
mod_rewrite
comands in document root .htaccess
file.
Downloads PHP code that when executed, creates an HTML file. The downloading IP address immediately attempted to access the HTML file, so this is probably just access verification.
Creates a .htaccess
file that can maybe redirect to a Russian boner pill site.
Commented out code could check for compromised host's presence on black lists.
I hypothesize this is an Apache virtual host directory reconnaisance tool. Looks for directory names with 150+ domain name appearing suffixes, seems to emphasize Russian and eastern European country codes.
Modified PhpSpy web shell, disguised as a GIF file, downloaded as a theme update. Modifications are at least to change some labels to Turkish, and add "phone home" code that lets someone in Turkey know that the web shell has executed. Is there no honor among thieves!?!
Ancient SuperFetchExec PHP malware, still using the same old XOR string it was using in 2012.
Somewhat modified Web Shell by oRb, derived from version 2.5, or possibly 2.9. Many levels of obfuscation.
A real (albeit possibly off-license) file manager plugin, illegitimately installed. Interesting dual use of COTS technology.
Email spamming tool, where all email/SOCKS/spam parameters are transmitted in an HTTP cookie.
An intermediary, coded and obfuscated for my specific honey pot, that acts as a cut-out between the downloader, and another web site. Performs SQL injection testing on that other web site.
Dropper that relies on a WSO 2.9 variant to execute,
except its Base64 encoding is messed up. Drops a PHP
program that can (a) delete all .htaccess
files up to
document root, or (b) generate some underhanded JavaScript
that redirects you to a scammy website.
Small piece of obscured PHP that executes functions named in HTTP cookies on PHP code also named in HTTP cookies. Even more obfuscated than it sounds.
PHP that injects ASP code, that itself puts HTML hyperlinks into the ASP-generated HTML. Odd choice to use on a compromised WordPress site, which is probably hosted on Linux.
A WordPress theme containing two PhpSpy web shells, and a web-based file manager that phones home.
An encrypting back door.
Access validation/PHP execution and file downloader.
A more capable, more robust version of the apikey.php file gateway, along with an immediate eval backdoor someone downloaded via that more robust version.
A rather ordinary, unremarkable file upload and download utility.
A "COTS" email spamming tool. I'm not sure what LeafMail's business model is, however. Doesn't seem to be a way to pay for it.
Rebranded version of LeafMailer.
That's right, OOD gone too far, an object-oriented immediate eval back door.
Simple, HTTP POST backdoor, with a suspicious file name.
Confusing PHP that might execute code sent to it two times.
Simple uploader which outputs a block of text, destroying its ability to remain hidden.
A somewhate obfuscated backdoor that seems to use assert()
to evaluate code passed in an HTTP POST request. Akismet plugin
update extremely broken, uses an old version, but also got commented out.
Composes and returns a machine-parseable string with information about web server's file system, user ID running PHP or the web server, and "uname" output. Nothing about the web server, which makes sense as this recon code was downloaded to what was believed to be a pre-existing backdoor.
WSO 2.5 web shell, with a novel, 2-step obfuscation. Attacker also added some anti-search-discovery code. Most amusing.
PHP file downloaded via WSO that decodes and evals some encoded PHP. Some obfuscation of both encoded PHP payload and the decoding PHP.
Email spam, the download probably works in 3 different web shells or backdoors. Seems to be part of a spamming campaign, my honey pot has caught additional, slightly different, emails.
An instance of the "Rebels Mailer" web front end email spamming tool, immediate PHP evaluator, and local file inclusion backdoor.
Small PHP program that can use POST parameter values to send email from the compromised machine, concealing the email's true origin.
Straightforward remailing PHP file. The actual download attempt appears double, presumably to allow 2 different web shells to install it.
The installer for something to turn a compromised WordPress site into an SEO site, probably peddling online pharmaceuticals to Japanese or Chinese users.
An actual lightweight, fast file manager, Licensed under GNU GPL v2.
Smallish, 297-line-of-code file manager, in Turkish.
Another single-file file manager app for "hackers".
PHP downloaded to WSO web shell. When invoked with proper GET parameter(s) it can check if the hostname it's on is in Google's safe browsing as unsafe, or in Spamhaus' block list.
Interactive web page that sends a test email to the invoker's choice of addresses.
Download to WSO's immediate eval action. Tests if it can write a file, and then maybe execute simple arithmetic in PHP.
A single HTML file defacement, thanks to Suleiman Haker of Saudi Arabia! Suliman Haker writes quality HTML, though.