Persistent WordPress User Injection

Our team recently stumbled across an interesting example of malicious code used to add an arbitrary user inside WordPress.

The following code was detected at the bottom of the theme’s functions.php. It uses internal WordPress functions like wp_create_user() and add_role() to create a new user and elevate its role to “administrator:”

The most interesting component of this sample is that the init (initialization) hook called from add_action() triggers the prefix_add_user() every time the Website finishes loading.

Continue reading Persistent WordPress User Injection at Sucuri Blog.

Magento Multiversion (1.x/2.x) Backdoor

The Magento 1 EOL date has already passed, however it’s evident that a large number of websites will continue to use it for the foreseeable future. Unfortunately, attackers are also aware that many websites are struggling with their Magento migrations and post compromise tools have been created to support deployment for both Magento 1.x and 2.x versions, making it easier for them to exploit a larger number of sites.

Malicious Forbidden Activity

During a recent investigation, our team came across a  tool aptly named Forbidden.

Continue reading Magento Multiversion (1.x/2.x) Backdoor at Sucuri Blog.

COVID-19 Chloroquine Pharmaspam

A recent SiteCheck scan of an organization’s website showed an interesting pharmacy spam injection targeting COVID-19-related pages of websites. The HTML that was flagged by our SiteCheck signature, spam-seo.hidden_content?100.2, shows why the pharmacy spam text was not displayed on the infected web page:

This spammer is trying to obfuscate their link injection by assigning a custom function, get_style, to store the none display element value. This essentially hides any of the element’s text that comes after the function is called, then uses the custom function end_ to remove the none display element.

Continue reading COVID-19 Chloroquine Pharmaspam at Sucuri Blog.

CDN-Filestore Credit Card Stealer for Magento

During a website remediation, we recently discovered a new version of a Magento credit card stealer which sends all compromised data to the malicious domain cdn-filestore[dot]com. My colleague Luke Leal originally wrote about this malware in a blog post earlier this year.

Malware Evolution & Evasive Techniques

One primary difference between this new version and theone Luke wrote about in April is that it was not packed. This detail suggests that the attackers updated the malware in an attempt to obfuscate it and avoid detection.

Continue reading CDN-Filestore Credit Card Stealer for Magento at Sucuri Blog.

Web Crawler & User Agent Blocking Techniques

This is a simple script that allows hackers to block specific crawlers based upon website requests from specific user-agents. This is useful when you don’t want certain traffic from being able to load certain content – usually a phishing page or a malicious download.

if(preg_match(‘/bot|crawler|spider|facebook|alexa|twitter|curl/i’, $_SERVER[‘HTTP_USER_AGENT’])) {
logger(“[BOT] {$_SERVER[‘REQUEST_URI’]} – 500”);

header(‘HTTP/1.1 500 Internal Server Error’);
exit();
}

Using preg_match, the script looks for certain known crawler strings in the user-agent.

Continue reading Web Crawler & User Agent Blocking Techniques at Sucuri Blog.

Pin It on Pinterest