Skip to main content

A closer look to a miscellaneous PHP-Code

· 6 min read
Strider

Hi, recently I came across something quite strange on Twitter, which I would like to report and go into more detail about. I came across a tweet that referred to an entry on Pastebin.

I took a closer look and found out that it is malware. How I come to that, I explain here in detail. One thing in advance, I will cut out or leave out parts of this swathware, so that this is not further usable. Names and addresses will be anoymized by me.

I was on Twitter last night and thought I'd click through, maybe there's something interesting there. After a short time I came across a Twitter post with the said link. I thought ok, you take a look at it. I was surprised at first, because there were only numbers.

dia1.png

Quickly I realized that these are ASCII values, which have to be converted into ASCII characters. No sooner said than done, with a small Python script I converted the whole thing into an ASCII text and saved it in a new file. When I open the file I notice that this is PHP code. Ok, looks to me like a WebShell that was obfuscated.

dia2.png

I looked through the file further and saw, as I suspected, that most of the content was Base64 encoded. At the end of the file I get information about how exactly the encoding is, because Base64 is only on the outside. But a closer look shows that also encodings for URL's (url_encode in this case url_decode) were used as well as encodings to encode HTML symbols (htmlspecialchars_encode and htmlspecialchars_decode). The whole thing is finally executed as executable PHP code using the eval function.

dia3.png

I asked myself, what do the two variables Cipher and Crime do? Well, a look into variable Cipher tells me. To see the whole thing, I just deleted the function eval and put an echo in front of it. Whatever this is, is not executed but only output. Voila, I can now see what the variable Cipher does 😄.

dia4.png

Ok, that doesn't tell me much, only that Base64 and this time also Gzip is in play. Here the variable Crime is used for the first time and mirrored. They seem to have put a lot of effort into it. Well, further in the text. I thought to myself: "Yes well, I already knew that WebShells like to be GZip packed, but this 5 times? So I also adjusted this line in the file so that I should also get its content displayed. The adjustment looks something like this.

dia5.png

Running the whole thing with PHP in a terminal, I was first hit by a lot of code. While skimming the code I came across another thick block of Base64 encoded data. But I looked at that later. I was surprised to find out that this is not an ordinary WebShell, but a Ransomware. Yes, that's right, it's a ransomware 😳.

dia6.png

So what I can already see here is that a notification goes out via email. The email address was embedded in the source code. I would be interested to know what is in the Base64 block. The whole thing is a HTML code with embedded Javascript. I saved the source code in a seperate file. I opened this file again in a separate VM in Firefox. Seems to be the nice bill. In any case, a dinky amount of $500, of course, again via Bitcoin.

dia7.png

The next thing I took a closer look at is the class deRanSomeware, here there are apparently 2 options, once the installation of the ransomware and the uninstallation. In the installation part the Base64 block is decoded and written into a new index.php. After that, the .htaccess file is replaced with its own customized .htaccess file. Only then, everything is encrypted. The part where the ransomware is uninstalled and the website is restored does it all in reverse. The decryption part still comes at the end.

A look at the encryption shows that AES-128-CBC, with a randomly generated initialization vector, is used here. It should be mentioned here that the method mcrypt_create_iv is considered deprecated since PHP 7.1 and has been removed since version 7.2.

dia8.png

What can be seen quickly is that here with the drive /dev/urandom, for the encryption, the initialization vector is generated. One is also notified here directly in the WebShell, if the encrypting of a file was successful or not. The only thing that puzzles me is, where does the key come from? Going through the code further, I seem to have found the source for the key. Apparently, the key is manually specified in the WebShell with the "Lock" or "Unlock" option. I'm not sure if this was a good idea, but the developer has to know. With this input form we also get a pretty little picture displayed.

dia9.png

From this point on, I realize that it is not just ransomware in the strict sense. Here we have another part of the malware. Because as I see it, other commands can be executed here than encrypting the data. In the following picture I show what I mean. Here in the case of a file upload.

dia10.png

I do not want to go into detail about the other functions, because there is not much exciting here. What this malware still offers as options is changing file permissions on Unix/Linux level. Renaming of files, as well as file manipulation, deletion of directories and files. As well as listing the files including rights and file size, as in a file browser.

After browsing through the code, I decided to run the malware on a test machine to see it in action. The test machine has no connection to the Internet or my network. Thus, the malware should not phone home.

dia11.png

Joa, if you look at the whole thing, it looks quite interesting. At the top you can see the skull from the source code again. Directly below the skull is the menu for encryption and decryption, which I will come back to in a moment. Below is our file manager where we edit, delete, create files and change access rights.

I have once dien fun and let all the files encrypted. Of course without Internet. As a test password I have entered "a1b2c3d4e5f6".

dia12.png

Ok, the site is now encrypted and may now also pay $500. We get as output, a list of files that were encrypted by the ransomware. It is admittedly very manageable, because I only had Apache installed. What I noticed during the first test run is that if there is no .htaccess and index.php, the ransomware does nothing. Can be a wrong operation on my part or a bug. Anyway, when everything is ready, we get this message where it says what happened and what we have to do.

dia13.png

My final words about the malware, this is a webshell with ransomware as its main function. I found it scary but also interesting at the same time. Nevertheless, I must say here do not pay. Better make backups and that's it.