Box.php Fraud Kit

I've been researching that fake Adobe Flash update and Neutrino EK redirect that other fine researchers have been writing about:

SpiderLabs -
Sucuri -
F-Secure -
MalwareBytes -

I don't want to duplicate too much of what they have already covered but here's what I've discovered so far...

Compromised websites have this script injected in HTML pages or external Javascript files (see SpiderLabs' blog):

Here are some other examples:


After a few moments, the visiting website shows a frame offering an Adobe Flash Player update.

Clicking on the link leads to a malicious executable being download. I'm not sure how successful this fraud campaign is but it looks pretty convincing to untrained users.

The landing page of that injected script sets up the fake Adobe Flash Player update frame then calls an external HTML file. You can see the reference to "b.html" in the HTML page below.

Sometime in mid-January, the landing page was updated to include a call to the Neutrino Exploit Kit. Now it seems to be redirecting to the Nuclear Exploit Kit.

Going back to the fake update, here's a portion of the "b.html" page. The "" link is where the malware resides.

After checking numerous sites for additional clues, I was lucky to find an open FTP server so I could download the files behind this campaign.

The HTML files are different pages that try to convince users to download VLC Player, VIO Player, to disable AdBlock, or to enable Javascript.

There are three PHP files. In the "b.html" file, there's an AJAX call to "checker.php". This PHP file grabs the visitor's IP, presumably for banning repeat visitors and/or to check if it belongs to security companies or sandboxes.

The second file, "okaybox.php", looks like this:

After deobfuscating this, the script turns out to be WSO Shell with weird comments embedded in the script used as fillers.

Interestingly, the individual(s) behind this "kit" often uses a PHP shell with a filename that starts with a four-letter dictionary word followed by "box.php" (e.g. agedbox.php, lonebox.php, pastbox.php, ripebox.php, etc.).

The third PHP file is what the compromised website redirects the users to and looks like this. The script has three parts. The top part has a "cfg" variable. The second part has an array of base64 strings. The third part is the main code that references the array.

You can use Converter's Array Search/Replace function to deobfuscate this in such a way so you can see what it's doing but not necessarily to run it (unless you fix the variables by adding quotes where applicable).

What this script basically does is decrypt the "cfg" variable, make a request to some site and pass information about the user and server to it, then take some action depending on the results.

You can fix up the code so you can decrypt the "cfg" variable manually. Cool!

Now we can mimic the script and see what happens. I constructed the URL based on the code (don't visit this link if you don't know what you're doing!):

hxxp://109[.]202[.]108[.]4/mantds/egiybka.php?dom= (compatible; MSIE 8.0; Windows NT 6.1)

This is the same landing page we got at the very top of this article except the iframe source now references our fake site.

Posted on: 01/30/2014