Camouflage does not have to be advanced to be effective

Labs Note

Often times a malware author will try to provide some type of camouflage to their malware’s coding in an effort to disguise an unsuspecting eye from its true intentions. I recently came across an interesting example from a malicious file used to bypass authentication when accessing wp-admin:

If you aren’t familiar with the word “Softaculous”, it is a popular installer for common CMS and other scripts. If you have ever used a “one click install” tool like Fantastico de Luxe or QuickInstall/Mojo Marketplace, then it is similar to that.

I also want to mention that the filename was a random alphanumeric string, so it wasn’t possible to determine the legitimacy through the filename alone. For that reason, we needed to analyze the coding and make our determination through there.

An unsuspecting person may view line 4 and see that it mentions Softaculous. If they used Softaculous before, they may just take a quick glance at the rest of the file. Since Softaculous allows for automatic updates, and users update WordPress through wp-admin,  doesn’t it seem reasonable that Softaculous may need to access wp-admin for updates and that’s the purpose of this file?

This is a great example of how the camouflage attempts to trick the user into thinking this is, or might be, just a normal file. Due to this doubt, some users won’t delete the file, leaving it intact (as I am sure many of us have accidentally deleted an important file and know how destructive that can be, especially if you don’t have any backups).

Ultimately the file was not legitimate and was determined to have been maliciously added. It’s what I would call a multi-layer backdoor, as the hacker could also create their own admin user once inside wp-admin so they wouldn’t have to rely on the file being there in the future (though a professional or security-experienced user should know to examine existing users).

If you need any help or have any questions, let us know. 🙂

You May Also Like