Security researchers at SiteLock have discovered a new malware strain impersonating legitimate ionCube files. Dubbed ionCube, the malicious code is used by attackers to create backdoors on vulnerable Web sites allowing them to steal data or plant additional malware.
Discovered two weeks ago, the malware has since been found on more than 700 small business Web sites, affecting WordPress, Joomla and CodeIgniter sites, although researchers said the malware is probably viable on almost any Web server that runs PHP.
During an investigation of an infected site, the researchers uncovered a variety of suspiciously named, obfuscated files that looked to be practically identical to legitimate ionCube-encoded files.
"We determined the suspicious ionCube files were malicious, and found that hundreds of sites and thousands of files were affected," they said.
Analysis
The research team first spotted this trend when several obfuscated files, following naming patterns often found in malware, such as "diff98.php" or "wrgcduzk.php", were found in the core directories of a WordPress site.
"At a cursory glance, the files appeared to be encoded with ionCube, which is one of the oldest and most difficult to reverse PHP obfuscation technologies. Fortunately, ionCube is typically not used for malicious purposes due to its licensing costs and compatibility requirements."
They also discovered that the files did not consistently follow malicious naming patterns. Harmless files dubbed "inc.php" and "menu.php" also contained the malware, said SiteLock.
Mitigation
According to SiteLock, if a developer has not deliberately installed ionCube-encoded files, any files claiming to be using ionCube should be viewed with suspicion, as employing ionCube usually requires manual server configuration. "Also, cross-compatibility with different versions of PHP is minimal, reducing the viability of use as malware."
The researchers recommend that anyone noticing indicators of infection should run a malware scan on their site as soon as possible. For those using ionCube-encoded applications, this is even more crucial, as manually differentiating fake files from the genuine article is tricky, as it is not unusual to see as many as 100 slightly different variants of this malware on one site, they explained.
"We also recommend implementing a Web application firewall to stop any access to malware which may remain."
WordPress woes
This isn't the first time that WordPress has been under the security spotlight. A month ago, ITWeb reported that over 2 000 WordPress sites were infected with a malicious script that contained a keylogger designed to steal users login credentials, and mined the Monero crypto-currency.
Prior to that in December 2017, another threat infected 5 500 WordPress sites with malware dubbed cloudflare[.]solutions.
Share