Labs Notes Monthly Recap

Sucuri Labs provides website malware research updates directly from our teams on the front line. You can read past-monthly recaps to catch up on trends we look at every month.

This month, our Malware Research and Incident Response teams wrote about malware infections ranging from backdoors, credit card stealers, and malvertising.

The Elegant Dropper – Reusable Code for PHP Shell Installation

Yuliyan Tsvetskov

In website security, a “dropper” is a piece of code that downloads malicious content from an external source. The actual code injection on the victim’s site appears legitimate and is often undetected by security scanners.

This piece of code uses additional evasion techniques by setting up variables to store the path where the backdoor will be injected, then downloading the contents from an external malicious URL containing the backdoor code. By putting these two together, the malicious file contents are injected into the WordPress admin area. Even if the backdoor is removed, the dropper can be executed again to reinject the backdoor.

Simple $_COOKIE Backdoor Variation

Fernando Barbosa

Malware often uses $_POST and $_GET requests to inject (or steal) content for malicious purposes which are usually later flagged as malicious.

In this case, we look at an attacker who sets cookie content to contain malicious content in the form of “eval” statements and executable code. We found several variants throughout the infected file system. These cookies are then used as variables in malware injections and executed remotely.

Tricky Malvertising Injections

Abdelli Nasereddine

Conditional malware attempts target only specific visitors (geo-locations, devices, or referrers like Google Search), which make the malware harder to detect. This type of targeting is often seen with SEO spam and malvertising.

This malicious code serves specific ads to visitors in different time zones. Lately, these types of injections are noticeably rising in popularity.

Client-Side or Server-Side Script?

Denis Sinegubko

JavaScript malware injections are always suspicious. What appears to be a benign resource can actually be malicious. We found this particular infection on a Magento website but with a twist on the classic credit card stealer.

A server-side script receives data from filled in checkout forms by collecting POST request info. If you don’t use the POST method and don’t pass correct parameters, it pretends to be a benign JavaScript.

Labs Notes Monthly Recap – May/2017

About Estevao Avillez

About Estevao Avillez

Reader Interactions