Obfuscation

March 19, 2019Denis Sinegubko

More on Dnsden[.]biz Swipers and Radix Obfuscation

After recent publication of the Uncommon Radixes Used in Malware Obfuscation article, we found an interesting Twitter thread involving @EKFiddle and @Ledtech3 #EKFiddle [Regex update]: Added Radix Web Skimmer identified by @unmaskparasites (https://t.co/3YJM9YeyAw).Additional domain seen in campaigns: checkip[.]bizhttps://t.co/U67qZosp1e pic.twitter.com/ZWwGZG6zyN — EKFiddle (@EKFiddle) March 17, 2019…

March 15, 2019Denis Sinegubko

Uncommon Radixes Used in Malware Obfuscation

Some JavaScript features allow for pretty interesting obfuscation techniques. For example, did you know that virtually any English word can be used as a valid number? I recently decoded a…

August 22, 2018Denis Sinegubko

Massive WordPress Redirect Campaign Targets Vulnerable tagDiv Themes and Ultimate Member Plugins

This August, we’ve seen a new massive wave of WordPress infections that redirect visitors to unwanted sites. When redirected, users see annoying pages with random utroro[.]com addresses and fake reCAPTCHA…

May 3, 2018Douglas Santos

A Puzzling Backdoor Upload

After a successful compromise, backdoors are frequently left behind and function as a point of re-entry into the website environment. These malicious pieces of code are a valuable tool for…

April 26, 2018Krasimir Konov

Analysis of a Malicious Blackhat SEO Script

An enormous number of SEO spam infections are handled by us here at Sucuri. In our most recent hacked website trend report, we analyzed over 34,000+ websites and identified that…

April 18, 2018Denis Sinegubko

From Baidu to Google’s Open Redirects

Last week, we described how an ongoing massive malware campaign began using Baidu search result links to redirect people to various ad and scam pages. It didn’t last long. Soon…

April 10, 2018Denis Sinegubko

Unwanted Ads via Baidu Links

The malware attack that began as an installation of malicious Injectbody/Injectscr WordPress plugins back in February has evolved since then. Some of the changes were documented as updates at the bottom…

April 4, 2018Peter Gramantik

Obfuscation Through Legitimate Appearances

Recently, I analyzed a malware sample provided by our analyst Edward C. Woelke and noticed that it had been placed in a core WordPress folder. This seemed suspicious, since no…

January 24, 2018Denis Sinegubko

Cloudflare[.]solutions Keylogger Returns on New Domains

A few months ago, we covered two injections related to the “cloudflare.solutions” malware: a CoinHive cryptominer hidden within fake Google Analytics and jQuery, and the WordPress keylogger from Cloudflare[.]solutions. This…

September 22, 2017Denis Sinegubko

Hacked Websites Mine Cryptocurrencies

Cryptocurrencies are all the rage now. Bitcoin, altcoins, blockchain, ICO, mining farms, skyrocketing exchange rates – you see or hear this every day in the news now. Everyone seems to…

August 15, 2017Rodrigo Escobar

Decoding Complex Malware – Step-by-Step

When cleaning websites, one of the most complicated parts of our job is ensuring we find all backdoors. Most of the time, attackers inject code into different locations to increase…