Labs Notes Monthly Recap

Every month we recap the latest posts on Sucuri Labs, written by our Malware Research Team (MRT) and Incident Response Team (IRT).

The Sucuri Labs website provides technical analysis and industry updates directly from our teams on the front line. You can read past-monthly recaps for an overview of the posts we’ve released.

Last month, we saw several new methods attackers use to sustain their campaigns as long as possible. This month, we notice a lot of spam campaigns using hacked sites to host redirects and acting as an intermediary. We also go over a few interesting new tactics we discovered while cleaning hacked sites.

Ghost From the Past

Denis Sinegubko

If a site stays infected for a long time before anyone notices, it can be partly due to the obfuscation elements that hackers add to hide their tracks.

We found a piece of malware on a website recently that was designed only to be used in 2011, therefore, the website has contained the malware injection for over five years.

When Malware Injection Goes Wrong

Ben Martin

If you have used Google Search Console (formerly Webmaster Tools) or Google Analytics, you may be familiar with the verification file that you can upload to the root of your site.

We look at a backdoor that uses the same naming convention as the HTML files that Google uses to verify site owners.

Spam Content Injection

Samuel Odendaal

We look at an infection that loads content from an external website and displays spam on the front page of the victim’s website only for visitors coming from search engine results.

The malicious file is actually a copy of the victim’s sites wp-blog-header.php, which loads on every page view. Every site compromised by the attacker had its own malicious copy of this WordPress core file, causing an infinite loop to regenerate the malicious injection if removed.

.user.ini SEO Spam Redirect

John Castro

We see an infection in NGINX sites that use INI files on a per-directory basis, similar to .htaccess files in Apache.

Attackers are using the auto_prepend directive to load PHP content before the page loads. This allows the attacker to evade search engines and assemble redirects to arbitrary spam content.

Backdooring Sites Using Exotic PHP Functions

John Castro

Most often, malware is written with simple PHP functions. This time we look at an attack using a function normally reserved for testing: register_tick_function()

The malware acts like a backdoor while allowing arbitrary command execution without the traditional noisy obfuscation methods we often find.

Hiding Malicious Code Using White Spaces

Yuliyan Tsvetkov

When looking at a file, if you do not use the word wrap then it’s easy enough for attackers to hide content using white spaces.

Rather than using complex, obfuscated code, these attackers added white spaces in the beginning of the file. If a webmaster doesn’t notice the horizontal scroll bar, they might not realize there is a ton of malicious code hiding just to the right.

Checking Blacklisted Domains or IP for Spamming

Luke Leal

A pharma-spam email campaign is using hacked sites to host redirects in order to avoid spam filters. One malicious file is placed on multiple hacked websites which redirect to the illegal pharma site, and the spam emails send visitors to hacked sites as an intermediary.

Furthermore, the script will terminate the campaign and choose another hacked site if the redirect responds with HTTP code 202; which means the hacked site has been blacklisted.

RealStatistics Goes TrafficAnalytics

Rodrigo Escobar

This campaign uses a fake analytics site in its malicious code, redirecting visitors through multiple sites until it reaches a spam page containing ads.

Interestingly enough, several sites contained the Search-Replace-DB tool. The file was placed in the site’s root directory and allows unauthorized access to modify the database content.

Labs Notes Monthly Recap – Feb/2017

About Estevao Avillez

About Estevao Avillez

Reader Interactions