We sometimes find malware code injections that contain strange code comments, which are normally used by programmers to annotate a section of code — for example, a short description of a feature or functionality for other developers to reference.
Oftentimes, hackers aren’t interested in leaving comments describing how their injected malware works. Instead, they use code comments to add unique identifiers to reference aliases, quotes, threat groups, or sometimes even memes. Unlike defacements, these code comments aren’t intended to be displayed on the infected website and can easily go unnoticed.
What is SCP 173?
As it turns out, SCP 173 is a story/meme entry from the SCP Foundation, a collection of creepypasta style fictional stories dating back to 2007. It’s unknown why a hacker would choose to use it as a code comment at the end of their injection — they may just be a fan and wanted to leave an easter egg.
SCP 173 malware injection in WordPress websites
We began noticing a malware injection that was targeting WordPress installations in the first week of 2020. This injection included a very unique feature: it included a cryptic code comment, SCP-173, at the bottom of the malicious code found injected into the core WordPress file wp-load.php:
Highlighted code comment at the bottom of malware code injection
The malware itself is a PHP backdoor dropper that creates a custom function which uses curl and file_put_contents to download malware from a third party URL. This URL is defined by the attacker in a HTTP request to the infected website.
Variant Usage Eclipses Original
In any case, we have detected and cleaned malware containing this comment over 10,000 times since the beginning of the year on our clients’ websites. This includes variants that began popping up, like the one covered earlier this April.
We have detected and cleaned malware containing the SCP-173 comment over 10,000 times since the beginning of 2020.
Graph showing detection rate of the SCP-173 commented malware
These variants essentially just use different code to complete the same task as the original malware: the main difference is the type of obfuscation used to make it more difficult for scanners to detect. For whatever reason, however, bad actors did not choose to obfuscate their code comment.
Detection & Mitigation Steps
Droppers are a distinct type of malware that can be quite difficult to detect. Essentially “dropping” malicious components and malware into the compromised system from a third-party source, the variants discussed in this post should be considered a serious threat to you and your website visitors. Since this malicious code is a PHP backdoor, it is best detected using a server side scanner that can identify the file.
If you believe your site has been infected with a malware dropper or you’ve located malicious code with a SCP-173 comment and you need a hand to clean it up we’re here to help.
Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.
We discovered a xmlrpc.php brute-force tool in a malicious PHP script that appears to have been uploaded months ago after a vulnerable GDPR plugin exploit:…
In 2016, I shared some thoughts about firewalls in general; their history and purpose in the information security domain. The point of the article was…
The .htaccess file is notorious for being targeted by attackers. Whether it’s using the file to hide malware, redirect search engines to other sites with…
This is a simple script that allows hackers to block specific crawlers based upon website requests from specific user-agents. This is useful when you don’t…
When Twitter announced their new design for “Tweet” and “Follow” buttons back in October 2015, marketers across the web developed a mild anxiety—the new design…
Since September 2022, our team has been tracking a bogus URL shortener redirect campaign that started with just a single domain: ois[.]is. By the beginning…
We recently observed a surge in WordPress websites being infected by a sophisticated PHP reinfector and backdoor malware. While we initially believed that the infection…
Staying on top of critical security risks and vulnerabilities is imperative for the safety of your website. Some of the types of threats impacting our client…