Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

WordPress Malware Camouflaged As Code

This entry was posted in Research, WordPress Security on August 13, 2021 by Ned Andonov   21 Replies

In today’s post we discuss emerging techniques that attackers are using to hide the presence of malware. In the example we discuss below, the attacker’s goal is to make everything look routine to an analyst so that they do not dig deeper and discover the presence of malware and what it is doing. We describe how this technique works, and we touch on the psychological underpinnings of the technique the attacker is using.

Wordfence detects the malware that is described in this post, even though it may be missed by a human security analyst doing a manual inspection. We have provided detection for this malware variant since 2019, for both our free and Premium Wordfence customers.

Novel Malware Loading Technique Analysis

One of the more sophisticated mechanisms that malware creators use consists of an innocuous-looking “loader” file that includes or executes a more traditional backdoor that is compressed, obfuscated, or remotely-retrieved and thus may have no detectable patterns in the file body.

We stumbled upon a clever malware sample worth sharing. In this file, malicious code was being generated in real time using a simple but well-hidden obfuscation technique in what looked like a perfectly normal and harmless PHP class.

The code abstraction looked almost perfect, each class method was well commented, the business logic looked reasonable, and the code was following the latest code quality standards.

One of the typical “tells” of malware is that a lot of it is poorly or haphazardly written using procedural programming practices, and much of it is obfuscated. This malware was well-written using Object-Oriented programming practices, which implies that it was created by a professional developer, and doesn’t appear to be obfuscated. All of these factors contribute to the file being obfuscated in a very effective way: It appears normal and would take a seasoned security analyst to spot anything suspicious about it.

In his research and writings, Nobel laureate Daniel Kahneman describes a ‘System 1’ and ‘System 2’ mind. Your System 1 mind performs routine tasks. System 2 is your analytical mind, which only engages when the routine is broken or brought into question. An inexperienced analyst, looking at this code might not engage their System 2 mind because everything looks as it should be. It looks routine.

The class describes itself as a simple mime type definitions extension service and its init method seems normal:

Image showing the malware's init method

However, with malware things might not always be as they appear.

If we take a closer look at the getMimeDescription method:

The malware's getmimedescription method

We notice that the selected indices in the $indicies variable are a bit suspicious.

    2 => wp-content
    6 => themes
    5 => allegro-theme
    3 => includes

In other words, the getMimeDescription method will generate the following path:

wp-content/themes/allegro-theme/includes/admin/buttons-formatting/buttons/btn-accordion1.png

Part of the magic happens in the createMarker method:

The malware's createmarker method

The createMarker method returns the following strings depending on whether or not the $type parameter passed to it from the createExtension method is set to 0, 1, or 2:

   [0] => file_get_contents
   [1]  => gzinflate
   [2] => eval

It uses a predefined range of alphabet letters from a – z in the $alpha variable:

$alpha = range('a', 'z');

This function is actually using a standard for loop to generate commonly used suspicious functions while evading detection and is the most obviously obfuscated portion of the code.

For example, in case 2 we have:

The malware's case 2

And in the $alpha variable we have every letter from the alphabet tied to a number:

letter to number mapping

Since the for loop is incrementing the array index of $numbers by 1 on every loop it ends up appending the following to the $marker variable::

5(e), 22(v), 1(a), 12(l) which translates to: eval

Such simple but elegant obfuscation techniques demonstrate how malware code can be concealed in unexpected ways.

The next interesting part starts when the prepareDir method is called.

It runs on the output of the getMimeDescription method:

the malware's preparedir method

The code above uses join to set the value of $markers to create_function and calls createExtension, which calls  createMarker and places the following code in the $extension variable:

$mime=file_get_contents($mime);$mime=gzinflate($mime);$mime=eval($mime);

 

These are then combined with create_function in the $dircreator variable in order to execute the malicious code hidden in the btn-accordion1.png file.

 

The PNG file btn-accordion1.png contained compressed(gzdeflated) malware code to act as an additional layer of obfuscation which can be difficult to detect using traditional techniques. This code, when gzinflated and base64-decoded, reveals a more obviously malicious, but still professionally developed backdoor used to interact with command and control (C2) infrastructure belonging to the attacker.

Below is a sample of btn-accordion1.png file original contents:

1st Layer of obfuscation(gzdeflated):

The first layer of obfuscation

2nd Layer of obfuscation(base64 encoded):

Second layer of obfuscation

Deobfuscated:

some functions in the deobfuscated webshell

This reveals 3000+ lines of professionally written malware code, supporting a collection of remote commands including code execution, updates, and files access:

Some capabilities of the deobfuscated webshellMore capabilities of the deobfuscated webshell

Conclusion

Malware creators continuously develop new obfuscation techniques in order to hide malicious indicators. Even common malware can evade detection if it has clever and unexpected obfuscation. In such cases a deeper look is required in order to identify and understand the malware. Analysts would also do well to keep their System 2 mind engaged, as Kahneman would put it, when analyzing suspected malware.

Malware evolves, but so do the techniques used by malware researchers. Our team continues to develop new technologies, like our machine learning initiative, that speed up the identification of emergent malware variants that may be more difficult for analysts to detect. Wordfence detects the malware mentioned in this post, and has included this detection since 2019, for our free and Premium Wordfence customers.

Good hunting!

Did you enjoy this post? Share it!

21 Comments on "WordPress Malware Camouflaged As Code"

knowlengr August 18, 2021 at 9:05 am

Nice analysis. I am guessing that Qualys would not detect this?

Ram Gall August 18, 2021 at 12:06 pm

Hi,

Qualys is a powerful tool, but we haven't evaluated their malware scanning capabilities, so I don't want to speculate. We usually see it used for Vulnerability scanning, and it does have some idiosyncrasies when scanning WordPress since it's not optimized specifically for that purpose.

Joe August 18, 2021 at 9:35 am

Awesome read.

Dean Suhr August 18, 2021 at 10:05 am

Very creative!

You mention scanning for this since 2019. Is this approach to Malware - professionally developed and obscured – on the rise?

Ram Gall August 18, 2021 at 12:09 pm

Hi Dean,

While much of the malware infecting WordPress sites is still a bit rough, professionally developed malware is indeed becoming more common - we frequently see it used in a few particular variants of nulled plugins and themes.

Pete Magee August 18, 2021 at 10:34 am

You guys are obviously very clever to find this stuff. What I can’t get my head around is why you go to such a great extent to explain exactly how it’s done.

It’s a bit like posting a video on YouTube of how to break into a bank!!!

Ram Gall August 18, 2021 at 11:49 am

Hi Pete,

There's a nearly infinite number of ways to obfuscate malware, which is why we're constantly adding to and improving our malware detection signatures. It's also work to write code like this, even if it's malicious, and would take some degree of time and competence to produce something functional - there's not enough here for an attacker to copy and paste, and many attackers prefer to use something "off-the-shelf" so they'd already have access to a wide variety of options. While this malware is quite clever, it is actually pretty easy to detect once you know what to look for, the trick is just to know what to look for.

Farhan August 18, 2021 at 1:24 pm

Wordfence have provided a valuable insight on defensive side, with latest and new technique for defenders to look for in their environment.

Weshells are still prevalent, some didn't even know they have them

SARAH August 18, 2021 at 1:44 pm

Great write-up, enjoyed the read.

However, what of a workable solution to combat or at least detect and stop such?

Ram Gall August 18, 2021 at 2:19 pm

Hi Sarah,

Wordfence offers a workable solution to detect and stop this malware, and our firewall blocks the kind of attacks that cause it to be installed..

Daniel Parsons August 18, 2021 at 1:58 pm

So important to read Wordfence updates and keep site themes and plugins up to date. Grateful for all your work and insight. I am not a coder and not a techie but can update my sites when Wordfence alerts me! God bless your work and pray we can keep the malware people off our websites as they are not welcome.

Aurelio Martuscelli August 18, 2021 at 2:39 pm

A nice job of malware deconstruction. Thanks for keeping us up to date and to Wordfence users, a relief to have such a competent team of analysts.

Mike Polek August 18, 2021 at 3:14 pm

The section on CreateMarker might be clearer if you used a 0-based mapping for the alpha array.
a=0
b=1
c=2
d=3
e=4
...
l=11
...
v=21
...
z=25

Thus 4, 21, 0, 11 is more readily seen as e, v, a ,l => eval

The for loop is merely looping through each of the elements of the numbers array in sequence. The number from that array is used as an index for the alpha array in $alpha[$numbers[$i]].

i.e. when $i = 0, $number[0] = 4, $alpha[4] = e

Anton August 18, 2021 at 3:28 pm

My god you guys are good! 👍

Andy Gee August 18, 2021 at 3:44 pm

I hate to say it but, nice programming. The $numers array and $mime_markers give it away a bit but the sliding cipher is beautiful.
Excellent analysis too, as always :)

Vijay August 18, 2021 at 8:41 pm

Thanks for this very useful article.
Recenty our few clients websites infected by hidden plugin zend-fonts-wp which is only visible on review plugins folder from the Hosting File manager or via FTP and this plugin even not identify by WordFence security scan.

Any comment on this, please?

Ram Gall August 19, 2021 at 6:42 am

Hi,

We do have detection for the zend-fonts-wp malware but it's a new enough strain that the signatures are only available to Wordfence Premium users at the moment. Detection of zend-fonts-wp should become available to free Wordfence users starting in September

Michael Adegoke August 19, 2021 at 12:27 am

Wow! Thank you for the amazing work you do. Thank you for staying on top of your game at all times. I recommend Wordfence every time and I am happy I found you guys. Your excellence is amazing, you offer so much even to free users as well.

John T August 19, 2021 at 12:31 am

Enjoyed the write up immensely! Thanks for putting it together. It's a bit like watching a magician explain their trick to you, I find it really interesting. Keep this type of blog post going as it really reassures people that you are 'ahead of the curve' on all this stuff.
Thanks :-)

PDigitalFox August 19, 2021 at 1:09 am

Nice article and a good job. It perfectly describes step-by-step the vulnerability.

Tito August 19, 2021 at 3:52 am

Thanks for This! That's a really clean explanation of the code.

I'll make sure to keep My Wordfence updated so you can keep looking out for the latest garbage these intruders come up with!

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates