It’s just a minor update about the “pseudo-darkleech” malware we’ve been following for about a year now.
We wrote that it can be usually located inside the wp-includes/nav-menu.php file in WordPress and in the includes/defines.php files in Joomla! sites. But these are not the only targeted CMS’. We also find Drupal sites infected by this malware. The includes/bootstrap.inc file is where this malware can be found in Drupal sites.
The malware fetches the code it injects into webpages from third-party servers. The URLs of those servers are encoded using the base64 algorithm, e.g.:
$url = base64_decode("aHR0cDovLzkzLjE4OS40Mi43Mi9ibG9nLz9mcmFnaWxlJnV0bV9zb3VyY2U9MjQ2NzoyNjAzODM6NDU1");
Which decodes to hxxp://93 .189 .42 .72/blog/?fragile&utm_source=2467:260383:455
.
But there are versions that use a custom encryption/decryption algorithm.
$url = decrypt_url('a3d3czksLDI2Mi0xMjQtNjQtMjQ7LGFvbGQsPGFmd2IldnduXHBsdnFgZj41NTQxOzk1MTA3MTs5NDQ0');
Here’s the decryption function:
function decrypt_url($encrypted_url)
{
$encrypted_url = base64_decode($encrypted_url);
$url = '';
for ($i = 0; $i < strlen($encrypted_url); $i++)
{
$url .= chr(ord($encrypted_url[$i]) ^ 3);
}
return $url;
}
So the decoded URL is hxxp://151 .217. 57 .178/blog/?beta&utm_source=66728:623428:777
The rest of the code doesn’t change much so we reliably detect this malware when we clean sites, even if we didn’t see pseudo-darkleech on some particular CMS before.