Supply of the Gootloader touchdown pages reveal numerous completely different search phrases and phrases the menace actors needed engines like google to index. The linked subpages (chosen with inexperienced) don’t truly exist. The injected WordPress code defines just a few hooks, one in every of them is for non-existing pages. It will serve the pretend discussion board dialogue, when the sufferer clicks on the search outcome
That hidden ingredient had hyperlinks (chosen with inexperienced) and the matching focused search phrases (chosen with brown):
This hidden ingredient is not going to be seen to human webpage guests. However search engine crawlers see and course of it, which methods the various search engines into treating the web site as if it offers related content material on the poisoned search time period, thus rating the location excessive within the search outcomes.
A screenshot of the supply code from a Gootkit/Goodloader touchdown web page. Picture courtesy of Sucuri Analysis.
The report (and screenshot) revealed three promising strings:
The request: $_GET[”a55d837’
A malicious web domain name: ‘my-game[.]biz’
A SQL question (proven on a special screenshot in Sucuri’s weblog): ‘SELECT * FROM backupdb_’
Looking Google for code fragment $_GET[”a55d837’ led us to an online decoder page, where the result (now deleted) of another researcher’s query revealed the encoded version of the PHP code used in the malicious web page:
function qwc1() {
global $wpdb, $table_prefix, $qwc1;
$qwc2 = explode('.', $_SERVER["x52105x4d117x54105x5f101x44104x52"]);
if (sizeof($qwc2) == 4) {
if ($wpdb - > get_var("x53105x4c105x43124x20105x58111x53124x5340x28123x45114x45103x5440x2a40x46122x4f115x20142x61143x6b165x70144x62137".$table_prefix.
"x6c163x74141x7440x57110x45122x4540x77160x2075x2047".$qwc2[0].
'|'.$qwc2[1].
'|'.$qwc2[2].
"x2751x3b") == 1) {
and the decoded model of that very same script:
perform qwc1() {
international $wpdb, $table_prefix, $qwc1;
$qwc2 = explode('.', $_SERVER["REMOTE_ADDR"]);
if (sizeof($qwc2) == 4) {
if ($wpdb - > get_var("SELECT EXISTS (SELECT * FROM backupdb_".$table_prefix.
"lstat WHERE wp = '".$qwc2[0].
'|'.$qwc2[1].
'|'.$qwc2[2].
"');") == 1) {
Whereas it isn’t clear how the code ended up on that web site, the Web by no means forgets: Engines like google discovered and listed this evaluation. This gave us the primary perception at what the injected code of the compromised touchdown pages would appear to be.
(Each the evaluation linked above, and one other web page I subsequently discovered on malwaredecoder.com, had been later eliminated by their respective web site homeowners. Search outcomes that reveal ephemeral evaluation pages like these are solely obtainable for a brief time period. If you happen to plan to quote supply supplies from websites comparable to these, preserve an offline copy of the web page, as a result of they is probably not there once you return.)
At this level we didn’t know precisely how the websites are compromised, however we knew from the report that malicious PHP code is someway inserted into the WordPress set up.
The search on VirusTotal for content material:”SELECT * FROM backupdb_” offers a few recordsdata from a compromised server that comprise an error message:
WordPress database error: [Table 'interfree.backupdb_wp_lstat' doesn't exist] SELECT EXISTS (SELECT * FROM backupdb_wp_lstat WHERE wp = '117|50|2');
The criminals are seemingly utilizing the database backupdb_wp_lstat, which should have been faraway from the server throughout a cleanup. We had been trying to find this content material on VirusTotal (search time period: content material:”backupdb_wp_lstat”), hoping we might come across a database dump. It’s at all times a good suggestion to arrange these guidelines and do extra retrohunts, which may reveal different invaluable recordsdata or knowledge.
We had been fortunate, and located an archive file containing a SQL dump of the WordPress database from a compromised server on a public malware repository.
The WordPress database dump included this desk that comprises a set of the primary three octets of IP addresses, a block checklist of IP ranges that can’t revisit the Gootloader web site on the identical day
The dumped database comprises a desk referred to as backupdb_wp_lstat. Later evaluation decided that this desk comprises the IP handle blocklist the malicious web site makes use of to stop repeat visits.
The obfuscated PHP code was additionally viewable within the database dump:
A block of base64-encoded knowledge saved as a variable named $pposte in a WordPress database
…as was the injected search engine optimization poisoning content material, with the j$okay..j$okay marker:
Malicious search engine optimization content material phrases embedded in a WordPress database desk, linking the location to an Excel spreadsheet converter search question
Researchers who need to hunt for this identifiable string within the Descriptions property of the malicious touchdown pages can use the regex /j$okay([0-9]{1,10})j$okay/
The “place marker” string seems within the OpenGraph metadata search engine optimization headers of a Gootloader-modified internet web page
This marker serves as placeholder for the spot the place Gootloader’s hyperlink to the web page renderer script is inserted. When the Gootloader web page is served up, it excludes the marker from the web page supply.
Nevertheless, the code extracted from the SQL database dump was not precisely the identical as what was proven within the Sucuri weblog. We continued looking for extra examples by pivoting on the C2 server my-game[.]biz, and located a handful of PHP recordsdata referring to that server:
Information that comprise references to the Gootloader “mothership” web site (screenshot courtesy of VirusTotal)
The submission identify commented_functions.php appeared promising. Certainly, it turned out to be seemingly the work of a researcher, analyzing the PHP supply code from the compromised WordPress set up. It was kindly documented intimately, saving us some evaluation time (which additionally helped as a result of we didn’t have all of the elements).
Commented textual content, preceded with double slashes, paperwork the Gootkit traits of modified internet pages
We had been ready to make use of the base64 string referenced within the “html” remark above to go looking VirusTotal, which led us to a (comparatively) just lately uploaded SQL dump.
a WordPress database dump in VirusTotal
The dump file contained the beforehand referenced base64 blob…
A SQL dump from a compromised WordPress set up comprises base64-encoded components of the Gootkit/Gootloader modifications
…which, when decoded, output the identical code that was initially printed by Sucuri:
The decoded base64 knowledge from the WordPress database reveals the PHP script that handles decoding the malicious content material for a web site customer
With this in hand, we had larger confidence within the provenance of this malicious code. We additionally recognized the desk the place Gootloader shops it in a compromised WordPress database. Having positioned the dump of the WordPress database and the PHP code on the web decoder web site, we have now an entire copy of the malicious content material hosted on the compromised touchdown websites.
What’s within the touchdown web page code?
This code comprises a easy PHP command shell, which the Gootloader attackers can use to take care of entry to compromised pages.
The variable $pposte holds the identify of the parameter that will get executed. If the compromised web site receives an HTTPS POST with that string in it, the code on the web page will decode and execute any base64 encoded instructions it receives, turning right into a bare-bones command shell the attackers can use to take care of management over the server:
A easy command shell Gootloader inserts into the PHP operating in a WordPress web site the menace actors have compromised
At different factors contained in the code, the script defines filters for WordPress occasions, which set off the execution of capabilities primarily based on predefined circumstances.
For instance, the next perform executes as soon as the attackers have arrange the compromised WordPress surroundings: the invoked code (referenced as “qvc5”) initializes the backupdb_wp_lstat database desk.
add_action("wp", "qvc5");
This snippet from the qvc5() perform initializes the backend databases utilized by Gootloader:
On getting ready the requested internet web page, the malicious occasion handler hooks construct the request to the “mothership” (a reputation I’ve given to the web site the Gootloader operators use to centrally handle their fleet of compromised blogs). The communication sends the mothership the next parameters of the preliminary request, all in base64 encoded kind:
One in all Gootloader’s most problematic behaviors is that it solely permits the potential sufferer to go to the location as soon as in a 24-hour interval. It does this by including the originating IP handle of this communication (the handle of the sufferer PC, variable ‘b’ above) to a block checklist. The server additionally geofences IP handle ranges, and solely permits requests to originate from particular nations of curiosity to the Gootloader menace actor. The referrer string (variable ‘d’ above) comprises the unique search phrases.
(On this instance, the “&d=” referrer string is the base64-encoded worth of “google/?q=cisco_wpa_agreement”)
Later, we’ll see that the server’s response would be the pretend discussion board web page renderer code.
The mothership sends the pretend discussion board web page
The mothership response comprises two elements: one comprises the HTML header components, and the opposite comprises the web page physique content material. The 2 are delimited within the code by a tag.
The header half comprises a number of components, separated by pipe (“|”) characters. Utilizing what it will get from the mothership, the touchdown web page code will collect the HTML content material:
The portion of the Gootkit code that collects the HTML content material of the pretend web page it is going to later draw excessive of the compromised web site
The script provides the whole /24 IP handle vary the place the request originated to a 24-hour block checklist. Neither the originating laptop, nor any others with the identical preliminary three units of numbers in its IP handle, can get the web page once more for not less than a day. (This was already seen within the SQL database dump):
The Gootkit code blocks repeat guests by including not solely the customer’s IP handle vary to a block checklist, however the whole class C IPv4 handle vary on both aspect of the customer’s handle, only for good measure
How Gootloader renders the pretend discussion board web page
If the request comes from an IP handle that isn’t on the block checklist, the malicious code within the compromised WordPress database takes motion and delivers the bogus message board content material (usually titled merely “Questions And Solutions”) to the customer’s browser.
The Gootloader pretend discussion board web page, that includes a “query” and an “reply” that hyperlinks to the Gootloader JScript first-stage payload
The one seen malicious content material within the supply code of a compromised touchdown web page is a straightforward inserted JavaScript tag. For instance:
Right here, once more, the distinctive key for the contaminated server is used as a parameter assigned to a numeric worth (1174868 within the above instance):
The distinctive key’s linked in a Javascript code snippet embedded within the compromised WordPress server web page.
This
If the HTTPS GET request comprises a question string that features the an infection ID, the handler code sends a request to the mothership and renders the response.
We’re in a position to get the code returned by the mothership by grabbing the pretend touchdown web page HTML supply, and utilizing an internet debugger that data the on-the-fly adjustments.
First it deletes the unique content material of the HMTL web page:
A set of instructions that deletes from view the unique web page content material on the compromised WordPress server web page the customer lands on
…and replaces it with the pretend discussion board textual content…
The alternative content material consists of the textual content of the “Questions And Solutions” pretend discussion board web page
…which additionally comprises the obtain hyperlink for the primary stage JScript payload:
The obtain hyperlink factors to a php script hosted on a special server. This hyperlink delivers the .js file packed right into a Zip archive which contains the primary stage Gootloader payload
The outcome will appear to be a dialog within the weblog feedback by which somebody “asks” a query equivalent to the search question handed from the Google referrer textual content, a “response” seems from a person account named Admin with the search time period hotlinked to the primary stage JScript downloader, and a followup “response” from the identical “person” who “requested” the preliminary query, thanking the admin who “answered.”
Your complete dialog is a fiction. It follows this sample in each Gootloader incident.
A Gootloader pretend discussion board web page in German. The supply code of the web page exhibits the hyperlink factors to a file named down.php hosted on a totally completely different server than the one the place the web page seems. The hyperlink marked in pink will connect with the server that’s internet hosting the first-stage obtain JScript.
The primary-stage downloader web site
The pretend discussion board web page connects to the primary stage obtain server, the place a PHP script serves the primary stage JScript downloader script.
(We acquired a duplicate of this script from one other researcher within the safety group, who needs to stay nameless, underneath TLP:Purple restrictions. Whereas we couldn’t use the script we acquired on this weblog put up, we might use traits of the script to hunt for related samples.)
On the server aspect, this file is embedded as a big Base64-encoded knowledge blob, with textual content that begins:
With this data, we might seek for related scripts, utilizing this Yara rule:
rule gootkit_stage1_dl{
strings:
$a = "
This gave us a handful of different variants of the script, with the principle distinction being the obtain URL:
We noticed two mothership addresses, 5.8.18[.]7 and my-game[.]biz within the samples we studied. On the time we initially researched this, the my-game area resolved to that IP handle (it now resolves elsewhere). Oddly, the compromised touchdown web page code hyperlinks to the area, and the primary stage JScript downloader hyperlinks to the IP handle.
The primary stage obtain script (down.php or be a part of.php or about.php or index.php) merely relays the incoming request to the mothership:
The supply code of the PHP script that delivers the primary stage Gootloader payload
The request despatched to the mothership will return the first-stage downloader JScript packaged in a Zip archive. As a result of it passes the unique referrer string all the best way to the mothership, it is going to obtain the unique search phrases, and might return a payload with a file identify matching these search phrases, which is what we’ve noticed occurs.
How Gootloader compromises WordPress servers
Close to the tip of our preliminary analysis, we discovered an essential piece of details about the seemingly supply of the preliminary compromise of the internet hosting WordPress servers. As we collect extra data, it’s price revisiting prior analysis, which can reveal clues that we didn’t know had been associated on the time.
The writeup describes an assault the place attackers positioned a modified copy of the Hiya Dolly plugin within the WordPress uploads listing (e.g. wp-content/uploads/), which they then used to provoke the set up of the malicious WordPress content material.
HelloDolly.php has been a inventory plugin, included with the WordPress self-hosted obtain, for a few years. In any case, modifying this code in a comparatively benign plugin, and leaving it in place on the compromised server, permits Gootloader to function in plain sight whereas minimizing the filesystem adjustments which may reveal a compromise to an alert webmaster.
There are a number of methods by which a menace actor may have the ability to place a file right into a WordPress web site: The credentials for the net server may need been phished or stolen; a WordPress part could have had a vulnerability that permitted distant customers to carry out SQL injection or command execution exploits on the host server; the executive WordPress password may need been stolen.
On this case, the writeup comprises a screenshot:
Screenshot of the modified HelloDolly.php script (courtesy of the Wealthy Infante weblog)
We searched VirusTotal for extra of those recordsdata:
content material:"dolly_css"
Whereas we discovered a number of clear, unique variations of the HelloDolly.php file…
Right here, the malicious HelloDolly PHP script is put in as a WordPress plugin underneath the trail:
wp-contentpluginsHello_DollyHelloDolly.php
One other format of the modified HelloDolly.php script exhibits the distinctive identifier string
The malicious PHP recordsdata present the extra code, together with the unique Hiya Dolly lyrics. An inserted code will verify the POST request for particular parameters, and if discovered, will execute the submitted set up code.
A variation on the Gootloader-modified HelloDolly.php script
We discovered different variations the place the $dolly variables are renamed $wp
A screenshot that summarizes the modification course of Gootloader makes use of (picture courtesy of the Wealthy Infante weblog)
We discovered these elements within the SQL database dumps, giving us sufficient confidence to ascertain that this was (not less than) a method the attackers compromised these reliable WordPress websites to show them into distribution servers.
A WordPress database dump comprises the identical components that the Wealthy Infante weblog references
Sadly, as a result of this has all been maintained on a server that’s straight managed by the menace actors, no matter supply code it could comprise just isn’t obtainable to researchers.
Disturbingly, since 2018 when Gootloader first appeared on the scene, it has used the identical area, and for many of that point, the area pointed to many of the identical IP addresses.
5.8.18[.]7
The my-game[.]biz area resolved to this IP handle for a number of years. Most of the malicious scripts level straight at URLs hosted on this IP handle to ship elements of the an infection.
Recognized URLs:
http://5.8.18[.]7/filezzz.php
The preliminary elements of the an infection are recordsdata generally known as Gootkit. They’re often simply PHP scripts that comprise a base64-encoded string and a script to decode the information and output it to a variable, comparable to this file (variably known as be a part of.php or down.php).
The encoded type of a PHP script that delivers the .js payload
We had been additionally in a position to establish a number of Gootkit recordsdata that check with, or hyperlink to, this IP handle, together with this script, and this script. Each of those recordsdata comprise error messages that check with one thing not having the ability to fully obtain a part.
A screenshot of a file uploaded to VirusTotal exhibits references to the IP handle previously used to host the Gootkit/Gootloader “mothership” server
Apparently, the server-side downloader script was named file_tmp_41.php, which is not like the downloader scripts seen usually. That will point out this script was an artifact of testing.
If we pivot off of this data, and (for instance) search VirusTotal for content material:” . The outcome yields extrarecordsdata, each of which comprise a URL that we’ve beforehand mentioned:
This was one other handle that my-game[.]biz has resolved to up to now. We had been capable of finding one other first-stage Gootkit part that hyperlinks on to this IP handle.
91.215.85[.]52
Yet one more IP that has been used to host my-game[.]biz and continues to take action. We discovered nonetheless one other first-stage Gootkit script that hyperlinks to this IP handle.
my-game[.]biz
The positioning is clean now, however the Web Archive reveals an attention-grabbing origin story to this area: In 2014, it was used to host a Russian on-line playing web site. Since 2018, the web page has hosted no different content material however has been linked to the Gootkit/Gootloader malware.
The my-game web site because it appeared in 2014, a Russian-language playing web site referred to as “On line casino Sport Life”
The one different reference we might discover to the area was a Counter-Strike clan listing relationship again greater than 15 years.
The my-game area that continues to host the Gootkit/Gootloader mothership initially belonged to a German workforce that performed the sport Counter-Strike competitively
The listing lists this web site as the house web page for a gaggle of “semi skilled” gamers primarily based in Germany who performed underneath the deal with #mY-GaMe.
Title: #mY-GaMe
Clan-Tag (Kürzel): #mY-GaMe`
Land (Hauptsitz des Clans): Deutschlandweit
Ort (Hauptsitz des Clans): Deutschlandweit
Chief: pr0nb1tch
ICQ#: 256558686
Homepage: http://www.my-game.biz
Anzahl der Spieler: 10
Artwork der Spielmodi: Leaguez
Clan-Profil: Semi-Profi-Clan
Clan sucht neue Spieler: Ja
Chief: kevin.goe@on-line.de
Open-source intelligence reveals lots
With a malware an infection methodology seemingly designed to make it as troublesome as doable for researchers to dig in and study the way it works, Gootloader stays one of the crucial pernicious and difficult-to-study threats on the internet.
Nevertheless, regardless of most of its code current and operating inside different individuals’s WordPress servers, the proliferation of on-line evaluation instruments offers a wealthy pool of alternative to find out how the malware works, and the way its loader delivers payloads. Due to the sources uploaded by quite a lot of completely different analysts and researchers, we’ve been in a position to construct a virtually full image of how the malware operates.
The PHP scripts, embedded JavaScript elements, and downloadable JScript payloads of this an infection are actually effectively understood, and but the malware continues to have an effect, greater than six years after it was first found. Thankfully, because of the comparatively sluggish tempo of the malware’s growth and its comparatively steady internet hosting of the “mothership” server, static and dynamic detections stay efficient.
And a ultimate be aware about collaborative analysis initiatives. It pays to develop and keep relationships with the malware evaluation and safety analysis group. For this venture, we acquired assist from a number of researchers, a few of whom didn’t need to be acknowledged. Our recommendation: If you happen to do this type of work, don’t hesitate to share your findings; one can find that the trouble you put money into collaboration with colleagues throughout the trade will finally repay once you want data. We’re grateful for the help and assist we acquired from a number of people.
Acknowledgments
Sophos X-Ops gratefully acknowledges the contribution of Marv Ahlstrom, an search engine optimization professional who suggested us about varied elements of Gootloader/Gootkit’s malicious search engine optimization. The creator additionally needs to thank the pseudonymous researchers who use the handles @sS55752750, @SquiblydooBlog, and @GootLoaderSites for his or her help. We additionally acknowledge and are grateful for analysis beforehand printed by Sucuri and Wealthy Infante. X-Ops researcher Andrew Brandt contributed to this evaluation.
