Luke Leal

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

October 26, 2020Luke Leal

P.A.S. Fork v. 1.0 — A Web Shell Revival

A PHP shell containing multiple functions can easily consist of thousands of lines of code, so it’s no surprise that attackers often reuse the code from some of the most popular PHP web shells, like WSO or b374k. After all, if these popular (and readily…

October 22, 2020Luke Leal

R_Evil WordPress Hacktool & Malicious JavaScript Injections

We often see hackers reusing the same malware, with only a few new adjustments to obfuscate the code so that it is more difficult for scanning tools to detect. However,…

October 14, 2020Luke Leal

Magento Phishing Leverages JavaScript For Exfiltration

During a recent investigation, a Magento admin login phishing page was found on a compromised website using the file name wp-order.php. This is an odd file name choice for a…

October 13, 2020Luke Leal

Redirects to YouTube Defacement Channel

During a recent investigation, we found an infected website was redirecting to YouTube after its main index.php file had been modified to include the following line of HTML: <meta http-equiv=’refresh’…

October 1, 2020Luke Leal

GFX Xsender Hack Tool: A Spam Mailer

PHP hack tools are created and used by attackers to help automate frequent or tedious tasks. During a recent investigation, we came across a hack tool used to simplify the…

September 28, 2020Luke Leal

Backdoor Obfuscation: tempnam & URL Encoding

In an attempt to avoid detection, attackers and malware authors are always experimenting with different methods to obfuscate their malicious code. During a recent investigation, we came across an interesting…

September 22, 2020Luke Leal

Phishing Page Targets AT&T’s Employee Multi-Factor Authentication

Employees at companies of all sizes can be targets of phishing attacks, but certain corporations or industries can be more valuable to an attacker than others. For instance, employees at…

September 18, 2020Luke Leal

The Hidden PHP Malware that Reinfects Cleaned Files

Website reinfections are a serious problem for website owners, and it can often be difficult to determine the cause behind the reinfection — especially if you lack access to necessary…

September 16, 2020Luke Leal

phpbash – A Terminal Emulator Web Shell

It’s common for hackers to utilize post-compromise tools that contain a graphical user interface (GUI) that can be loaded in the web browser. A GUI generally makes the tool easier…

September 10, 2020Luke Leal

WordPress Malware Disables Security Plugins to Avoid Detection

An alarm or monitoring system is a great tool that can be used to improve the security of a home or website, but what if an attacker can easily disable…

August 26, 2020Luke Leal

Magento Multiversion (1.x/2.x) Backdoor

The Magento 1 EOL date has already passed, however it’s evident that a large number of websites will continue to use it for the foreseeable future. Unfortunately, attackers are also…