Five individually-obfuscated backdoors, version 1.0-1, also with less sophisticated dropper code.
| Arrival | IP Address | ASN | geoiplookup | p0f3 OS guess |
|---|---|---|---|---|
| 2018-06-18T11:15:45-06:00 | 184.168.27.139 | GoDaddy, AS19905 | USA | ??? |
| 2018-06-18T11:15:48-06:00 | 217.182.67.157 | OVH, 217.182.0.0/16 | France | Linux 3.11 and newer |
| 2018-06-18T11:15:49-06:00 | 78.24.217.104 | TheFirst-RU, AS29182 | Russian Federation | Linux 3.x |
| 2018-06-18T11:15:51-06:00 | 66.230.220.120 | Hostway Allocation, AS30217 | USA | Linux 3.1-3.10 |
| 2018-06-18T11:15:52-06:00 | 198.71.239.44 | GoDaddy, AS19905 | USA | ??? |
Pretty similar to earlier backdoor downloads, including the majority of GoDaddy machines.
The timing makes it appear as if this is a coordinated attack, and they seem to have used different URLs for each download.
| Arrival | IP Address | URL |
|---|---|---|
| 2018-06-18T11:15:45-06:00 | 184.168.27.139 | /wp-content/themes/sketch/404.php |
| 2018-06-18T11:15:48-06:00 | 217.182.67.157 | http://www.stratigery.com/wp-content/plugins/revslider/temp/update_extract/revslider/info.php |
| 2018-06-18T11:15:49-06:00 | 78.24.217.104 | /wordpress/wp-content/uploads/wpallimport/uploads/f2af55ff3d3404c81a296c997348e8d1/db.php |
| 2018-06-18T11:15:51-06:00 | 66.230.220.120 | http://stratigery.com/wp-content/plugins/revslider/temp/update_extract/revslider/info.php |
| 2018-06-18T11:15:52-06:00 | 198.71.239.44 | /wp-content/plugins/wp-db-ajax-made/wp-ajax.php |
Downloaded to a WSO (Web Shell by oRb) honey pot. The attacker invoked the "RC" action, with PHP source code in the "p1" POST parameter. A pre-hashed password got sent as an HTTP cookie, so this was almost certainly a group of programmatic downloads. If the download had been to a real WSO, the RC action would eval the code immediately, leaving no file behind.
I did the deobfuscation with the script extract,
which includes running a deobfuscator
over the code to render it readable by humans.
The obfuscation is different than previous extendable backdoors I've captured, in that the actual backdoor code has been rewritten to be impenetrable to the human eye. Previously captured backdoors were "rawurl" or base64 encoded, but the PHP code was not rewritten for illegibility.
This batch of backdoors is uniquely obfuscated. Variables and function names have all been given randomly-generated-string looking names. This is reminiscent of the 2.0-1 backdoor.
There's a further layer of rewriting. After variables and function names got rewritten, all the individual characters used in the rewritten names get concatenated in a single string. The obfuscator sets up a clever double layer of obfuscation using that string:
$GLOBALS['kaf94'] = array();
global $kaf94;
$kaf94 = $GLOBALS;
${"GLOBALS"}['e28ec8b'] = "Ea^w+#z:rW= B...";
Apparently, the assignment $kaf94 = $GLOBALS; makes
"kaf94" into a synonym for "GLOBALS", not just copy of it.
Every function and variable name gets "spelled out"
using the synonym. Using the above string,
an identifier war would end up spelled out like this:
$kaf94['e28ec8b'][3].$kaf94['e28ec8b'][1].$kaf94['e28ec8b'][8]
Names of PHP builtins like chr, ord, base64_decode end up
as values in $kaf94[], with random string keys.
By spelling out the keys using the 'e28ec8b' string,
the obfuscation gets builtin function names
out of $kaf94[], too, in a confusing double trip
through the array.
The dropper code is clearly related to previously discovered instances of this malware, but it's not as sophisticated. This dropper does not distinguish between Joomla, WordPress and Drupal to find likely files to corrupt, it just infects any file named with a ".php" suffix. It also does not attempt to create a file with the backdoor code in it, using "include" directives to get the code executed. It modifies the ".php" file it selects by inserting code directly at the beginning of the file. Where the previously analyzed dropper had "fr_" prefixes on almost all function names, this dropper has the same function names, but without the prefix.
This makes me think that this attack is not related to previously captured backdoors.
The backdoor code, although re-written for incomprehensibility, also seems less advanced than previously captured backdoors.
It has the same XOR encryption, with a key formatted similarly to GUIDs. Each download had a unique value:
- cf120cff-3e3d-4f64-8b34-08643c6a44cb
- 2606a46e-5b55-4583-acf1-a066691472e7
- a5049f2e-da84-4cd3-8172-d699104c62e4
- 29c7228f-c161-4521-aac5-a12d08ef0339
- f9ba9dd1-9cfe-4252-bf10-0cc9ed502a4c
The same GUID-like string gets used as a password, but where the other backdoors supported 4 operations (info, immediate eval, plugin add, plugin remove), this group of backdoors only supports two operations:
- 'i' operation - get info, claims to be 1.0-1
- 'a' action - immediate eval of included code.
No plugin extensibility appears. I'll buy this as version 1.0-1, where previously captured backdoors billed themselves as version 1.0-2.
This further reinforces the conclusion that this batch of backdoors is not from the same folks whose backdoors I've previously caught. Why would you give up the plugin extensibility?