How Do Malware .ico Files Get Uploaded

During the by year, our Remediation section has seen a large increase in the number of fully spammed sites.

The common factors are strangely named and unusually located favicon.ico files, along with the cosmos of "bak.bak" index files peppered around the website.

In the majority of the cases, the pattern is similar regardless of the size of the website or the CMS being used. We have found WordPress, Magento, Joomla, and even HTML-only sites impacted past this campaign.

The Design

The infected sites nowadays the following symptoms:

• Randomly named folders with spam files clearly inside the directories, along with big spam sitemap files. Sometimes these spam files are spread randomly throughout the server.
• Most of the fourth dimension, the site has been flagged as "May be hacked" past Google (or has been directly blacklisted past other authorities) along with subsequent SEO penalization.
• Strange "favicon.ico" files with a randomized string of characters and numbers at the end of the name. These are found spread around the site in random folders, especially in ./plugins, ./extensions, ./components, ./modules, ./uploads, ./media, ./themes, ./templates, or ./peel folders.

For instance, this file was found on an infected Joomla website:

./media/editors/favicon_64efdf.ico              

The Code

The content of these supposed .ico files are not actually icon image codes at all. Instead, they follow this pattern using PHP every bit the programming language:

1. Bank check for a defined semaphore with the starting string "ALREADY_RUN_", followed past a random hexadecimal string that most likely represents a hacking kit identifier.
2. A Random-named role with 2 parameters: a translation key and a muddied-base64 code. Using the translation rules from the outset parameter into the 2nd, this function returns the base64 de-codification of the dirty-base64 lawmaking.
3. Annunciation of the dingy-base64 code variable with a random name.
4. Declaration of the associative assortment with the translation primal characters and their corresponding values, also randomly named.
5. Eval function to start the script.
6. Commented 32 MD5 char sequence + encrypted code.

Here'south an example of what the code mostly looks like:

PHP code example for the supposed .ico files

Another example of the code structure

Unraveling the Skein

The process to empathize what's really going on behind the scenes requires several steps.

Basically, the base64 code generated past this false favicon is made up of a grouping of functions. These functions decrypt the commented code into the concluding block,which is the real backdoor code.

This backdoor (usually overlooked during assay every bit a comment) is made of an initial block of 32 characters corresponding to a MD5 hash, followed by the base64 code of the backdoor.

After some iterations, where you lot tin find how this backdoor can be configured depending on the case, the last code reveals a CURL object.

Past using a POST connection, the attacker can en-route what is going to be downloaded from the site. This sometimes only includes content and files, but we occasionally see code injected into files just before the </head> or the </body> tag, depending on how the attacker has remotely configured the fake favicon.

Details of the config matrix, where the target remote procedure (engine.php) returns directions to the site.

The Trigger: Cloned .bak.bak Index Files

And then, how does the attacker trigger this complex process if the file is not a PHP file, which tin exist interpreted and is not located in the root binder, but instead in a random location on the server?

The magic occurs by cloning the index file of the site, appending ".bak.bak" to the file name, and creating a new index file with the post-obit content:

• An include of the favicon file with a relative path.
• An "@" earlier the include ensures that any error coming from the included file will not be displayed on the website, hiding it from visitors.

The original lawmaking is then loaded from the ".bak.bak" file.

Hither is an case of the fake index.php file in an HTML-only environment:

And here is an index.php file found on an infected WordPress installation:

Example of an affected WordPress alphabetize.php file before and after the include has been decoded

What this means for site visitors is that the process is fully transparent — they volition receive the legit lawmaking immediately after the favicon malicious code is executed on the server.

Every time i of these index.php files loads (which for CMS' such equally Joomla or WordPress, is executed on almost every visited page), the backdoor is executed. This ensures that site reinfections occur very rapidly, allowing bad actors to maintain access and continue spamming on the compromised website.

Surroundings Details

The infection is like to the hacking kits sold on the darknet to cybercriminals, giving them the ability to create and manage a network of zombie (infected controllable) sites.

This kind of kit crawls the Cyberspace, searching for sites with specific vulnerabilities and list them in a dashboard where they tin be used by the aggressor. These kits allow bad actors to configure the sites in groups, or on an individual basis.

The presence of identification tags (unique combinations of numbers and letters that appear in the code and the process) suggests that this campaign helps the attackers organize them internally.

Conclusion

Due to the number of cases nosotros see, this unusual case of malicious favicons may exist present in thousands of websites.

It's believed that the following vulnerabilities are being leveraged to inject these imitation favicons:

• Old software versions that take not been patched with the latest versions or security releases. This includes CMS software, server software, plugins/modules/extensions/components, themes/skins/templates, etc.
• Backups or demo/exam sites, which are very weak infection vectors because they are non ordinarily well maintained.
• Upload forms that accept not been properly sanitized or hardened, especially on handmade websites.

Due to the nature of the backdoor trigger of this campaign, reinfection and cross-site contamination can exist very quick. Our Spanish-speaking audience can check out this contempo presentation at WordCamp Madrid, where I talk over backdoors in further particular.

If you observe any suspicious beliefs on your site or detect the presence of these ".bak.bak" files (or other unusual favicons), we'd be happy to assist clean upward the infection.

In the meantime, you can check your site for known malware, blacklisting status, and out-of-date software past using our gratis scanner Sitecheck: https://sitecheck.sucuri.net.

Nestor Angulo is Sucuri'south Security Annotator who joined the visitor in 2015. Nestor's principal responsibilities include cleaning up hacked sites, generating detailed reports, and giving feedback to the Research squad with any new knowledge His professional experience covers more than than 15 years in the code development earth, where he has been creating engineering products with embedded technologies exploiting his entrepreneur genes, and being a university professor in big data and web development. When Nestor isn't slaying malware, you might detect him testing new engineering gadgets, practicing kickboxing, or traveling around the world as a digital nomad. Connect with Nestor on Twitter or LinkedIn.

Reader Interactions

hassbrephe47.blogspot.com

Source: https://blog.sucuri.net/2019/07/the-strange-case-of-the-malicious-favicon.html

Share this post