Hidden SEO Spam Link Injections on WordPress Sites

Often when a website is injected with SEO spam, the owner is completely unaware of the issue until they begin to receive warnings from search engines or blacklists.

This is by design — attackers intentionally try to prevent detection by arranging injected links so they are not visible to average human traffic.

One of the techniques attackers use is to “push” the injected SEO spam links off the visible portion of the website.

Continue reading Hidden SEO Spam Link Injections on WordPress Sites at Sucuri Blog.

PrestaShop SuperAdmin Injector and Login Stealer

According to W3Tech’s data, PrestaShop is among the most popular CMS choices for existing ecommerce websites, so it should come as no surprise that malware has been created to specifically target these environments.

We recently came across an infected PrestaShop website with malware which was automatically injecting a super admin PrestaShop user whenever the website owner logged into the backend.

The malware was found injected into the following existing PrestaShop core files:

./controllers/admin/AdminLoginController.php
./classes/Employee.php

The injected PHP code works by checking the $email variable contents — which, by default, stores the email address used when trying to log into PrestaShop.

Continue reading PrestaShop SuperAdmin Injector and Login Stealer at Sucuri Blog.

Evasive Maneuvers in Data Stealing Gateways

We have already shared examples of many kinds of malware that rely on an external gateway to receive or return data, such as different malware payloads.

During a recent investigation, we came across this example of a PHP script that attackers use for many different purposes. What makes the sample interesting is that alongside this PHP, we also found a few data-stealing scripts indicating that the code might have been used to send sensitive data to the attackers.

Continue reading Evasive Maneuvers in Data Stealing Gateways at Sucuri Blog.

Another Credit Card Stealer That Pretends to Be Sucuri

During a routine investigation, we found yet another web skimmer that pretends to be related to Sucuri.

One of our Remediation Analysts, Liam Smith, found the following code injected into the database of a Magento site.

The first 109 lines of the malware don’t contain any content, which could be an attempt to avoid detection and conceal itself from detection, but line #110 contains a  base64-encoded Javascript ( eval(atob(… ).

Continue reading Another Credit Card Stealer That Pretends to Be Sucuri at Sucuri Blog.

Code Comments Reveal SCP-173 Malware

We sometimes find malware code injections that contain strange code comments, which are normally used by programmers to annotate a section of code — for example, a short description of a feature or functionality for other developers to reference.

Oftentimes, hackers aren’t interested in leaving comments describing how their injected malware works. Instead, they use code comments to add unique identifiers to reference  aliases, quotes, threat groups, or sometimes even memes. Unlike defacements, these code comments aren’t intended to be displayed on the infected website and can easily go unnoticed.

Continue reading Code Comments Reveal SCP-173 Malware at Sucuri Blog.

ALFA TEaM Shell ~ v4.1-Tesla: A Feature Update Analysis

We’ve seen a wider variety of PHP web shells being used by attackers this year —  including a number of shells that have been significantly updated in an attempt to “improve” them.

Depending on the scope of changes and feature enhancements that are added to an existing web shell’s source code, these updates can be tedious and time consuming for bad actors. For this reason, it’s common to see code for web shells reused among different, unaffiliated attackers.

Continue reading ALFA TEaM Shell ~ v4.1-Tesla: A Feature Update Analysis at Sucuri Blog.

Pin It on Pinterest