Deobfuscating a Malicious PHP Downloader

A PHP script was sent to me by reader Nuno who got this from a hacked Joomla website and wanted to know what this was. He said this script was prepended to several legitimate PHP files. Looking into this a bit, I found that this is related to Wordpress hacks via MailPoet back in 2014 according to Sucuri (here and here).

The original script from 2014 is pretty much the same as this one after you deobfuscate it so it appears that its creator updated the obfuscation layer since then. Here's what the 2014 script looks like:

And then it was modified some time later.

This is what the PHP script looks like today.

At the bottom is the code that deobfuscates the above. I make the following change as you can see.

And I get the deobfuscated result.

However, the result gets truncated. It's probably because there's HTML-looking tags in there so I have to modify my change to this:

Now I can get the entire script.

After I unescape it, I can see at the bottom a call to the deobfuscation function. I repeat the same step as above.

To get this:

I keep doing this for two more rounds and I end up with this. The for-loop at the bottom deobfuscates the last remaining blobs by passing it to the "oo1" and "oo2" functions above.

I grab functions from the previous rounds and put them all here. Finally you can see what this does.

The script gets some HTTP info, randomly selects a domain (33db9538 .com, 9507c4e8 .com, e5b57288 .com, or 54dfa1cb .com), and makes a request to its C&C using one of five methods until one works. The HTTP GET requests look something like this:

hxxp://54dfa1cb[.]com/743373?nBcDCJtttnWOB7AFwE6JSD2%252 B9FWohBE48s54engkXvlo7MmPmabcMTRfK5tqJyYRYA4xsNOviBQDEFq2uGAIfWs%253 D.vxcX.60JI.vXyZAJNtdCnP.%252FkaXEZd1

hxxp://33db9538[.]com/941577?cqzyJtttwfqjfH%252FwfN8k7f%252 FSpz9SnXR016abcKoeOzkdP9zUs2oUlKyoGy6DqbbxOPukqZ5y%252FDEFLjNyQU2GGmY%253 D.Uazm.Bfm5.UXyZLzR9z6bi.EPWaPjBl

None of the sites were responding with anything useful at the time of this writing so I don't know what the payload is but if it's the same as it was back in 2014 then backdoors are created on the site and overwrites legitimate files in the process.

This is what all of the C&C websites look like:

If you get hit by this then you would probably need to do a fair amount of cleanup, restore from backups, or rebuild your site to ensure no backdoors are left behind.

File: 1.php
MD5: 3ED6699CE373F6BEED22F490B1D93219
VT: 2 / 54

File: 2.php
MD5: 69A1CDF5E389D6388ABB3E6DA198D998
VT: 8 / 54

File: 3.php
MD5: 733C0DD3099C514A7D067D0A20657650
VT: 4 / 54

Posted on: 10/15/2016