• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

GFX Xsender Hack Tool: A Spam Mailer

October 1, 2020Luke Leal

21
SHARES
FacebookTwitterSubscribe

PHP hack tools are created and used by attackers to help automate frequent or tedious tasks. During a recent investigation, we came across a hack tool used to simplify the process of sending predefined HTML emails to a list of email addresses.

The tool runs on top of PHPMailer’s library, which handles the connection and sending of the malicious emails.

hacktool spam mailer

The hack tool also grants the ability to authenticate to an email address on a remote server. Once authenticated, an attacker can use the to send out malicious email on the victim’s behalf.

These settings can be hard coded to the configuration variables found within the PHP file:

$website="hxxps://evil[.]com/"; //Make this full url including folders of where login files reside
//$website="http://www.website.com"; //Make this full url including folders of where login files reside
define('SMTPENABLE', true); // enable smtp true or false
define('HOST', '[ipaddress or hostname]'); //smtp host
define('PORT', 465); //smtp port
define('USERNAME', 'attackercontrolled@example.com'); // smtp username
define('PASSWORD', 'password'); //smtp password
define('AUTH', true); // is smtp require authentication true or false
define('ENC', 'ssl'); // is smtp require encryption (ssl|tls|) or leave false for none

define('SMTPSENDEREMAIL', 'spoofed@nottherealsender.com');

By doing this, the email header logs of the malicious email will show the IP address of the server hosting the hack tool and not the attacker’s IP address — effectively acting as a proxy.

Attackers can use any email account on the Internet that accepts SMTP connections, essentially spoofing the From email to send unsolicited spam, phishing, or other unwanted emails.

One of the best ways to detect this type of malicious activity is to use a server side scanner and monitoring service to identify any indicators of compromise on your website.

21
SHARES
FacebookTwitterSubscribe

Categories: Security Education, Sucuri Labs, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Hacked Websites, Labs Note, Malware, Phishing

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

The Anatomy of Website Malware Webinar

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.