Over the past few weeks we’ve been seeing more website malware that’s disguised to look like legitimate files.
This recent strain has been made to look like ionCube obfuscated files.
At first look, even the online ionCube decoders are fooled too. They see the basic layout of the file, look for some specific string of text and immediately identify it as a legitimate ionCube file.
The anomaly detection part of our service first started flagging these files as suspicious. While the format of the text in the file is similar to legitimate ionCube files, there are a few key differences.
First, a legitimate ionCube file will have this in the opening section:
The bogus files will look similar, but start with:
Notice the subtle difference?
The “i” in ionCube in the legitimate file, is lowercase. The “L” in Loader is uppercase and there’s an underscore “_” between IonCube and loader in the bogus files.
One of the key differences is the bogus file typically has a @fopen string whereas the legitimate file did not.
All this goes to show one of the points about website malware is how far the hackers will go to try and make their files look legitimate.
Some have reported that the lower code segment is not used in this malscript, but that is the majority of the malicious code, so without that, this file is useless.
It opens itself, in doing this, it avoids reading the top code section and only reads the lower string of characters.
We’ve seen file sizes vary but many of them are 2,342 bytes. The other interesting thing about these files is that they’re typically dated to match other files in the same folder. Again, further evidence of the steps hackers will take in order to make their files look legitimate.
As far as how these files were uploaded?
What was the root cause determination? The point of entry?
That has nothing to do with these files. This is just the popular obfuscation method and this time. We’ve seen these files in WordPress sites, where all the plugins, themes are core files are kept updated. We’ve seen them in Joomla sites and Prestashop sites too.
Therefore, we conclude it’s just the current obfuscation method of choice.
Let me know if you have any questions.