Many time has passed since my last post in this forum paragraph. Today I want to share with you a dangerous attack I received a couple of days ago; it can affect to any php based website (Joomla, Wordpress, Drupal...) so I post this entry to alert everybody and maybe to help some people in a future if they have been infected.
On 04/29/2021 I received the following alert of Securitycheck Pro:
After decoding it, we can see there are a couple of actions behind this obfuscated string:
The first one is to download a file named old-index.php from a server with IP 18.104.22.168. The second one is to download what is supposed to be a jpg file, uncompress and delete it. Let's see what those files contain. The old-index.php file tries to get some info from the infected website: its geolocation, using the service ipapi.com, php version, hostname, server type and operating system:
The main part of this file is an obfuscated string:
Will not analyze this obfuscated code as it's not important to show what this attack does. Now let's pay attention to the second file downloaded: the mining.jpg file. Despite this file simulates to be an image file, it's a compressed file containing some linux binaries and linux shell scripts. As we can see in the original attack, it's uncompressed into the .x folder and this is what contains:
There are some files and folders into it. Let's see what contains the "a" script:
As we can see, it gets some system info as the current directory and bash pid, creating files to store this info...
...and adds the following content to be executed by the cron:
With those actions the malware gains persistence; if for some reason the main process is finished it's launched again by the cron. After this the file calls to the "run" script, that contains:
This script gets the server architecture and use the right linux binaries to use the server power for crypto-currency mining, using the xmrig (github.com/xmrig) software and sends the rewards to the ip 22.214.171.124:
Other interesting file of the .x folder is the "c" file, that tries to hide any activity by deleting all history at first place:
This way it makes harder for investigators to know what's happening. We must also remember that the file containing all the files, mining.jpg, it was also deleted by the original attack after being uncompressed.
Once this malware is running, we will see high cpu usages as the malware is doing its job:
So unlike other infections used to spread malware, you will not see any abnormal activity in your website. Depending of your hosting plan, you can notive slowness in your website or being alert of high cpu consumption by your hosting provider.