Malware written in PHP?!

The following summary is not a complete analysis. It highlights only the main stages of the malware’s behavior and campaign as a whole, which were worth describing according to the authors.

Analysis of malicious software may reveal a lot about its creator. Sometimes, it’s a highly sophisticated, difficult to detect, operating on the lowest levels of the system, APT malware. But what can one think about a creator of malware, that uses a language designed for creating web pages and that conceals it inside of a legitimate, big installer? Perhaps some web developer got tired of being the “good guy” and decided to sell their services on the dark side of the internet? Maybe he doesn’t know any better and created the malicious software using his web development skills? Described malware caught our eye mostly due to its interesting form of delivery, However, it proved itself intriguing in many other ways. In the process of identifying the attack’s infrastructure we’ve discovered a whole scenario and a complete technique, including the malicious software’s code.

First, you have to find the potential victim. Creators of the malware and campaign have prepared the web pages from which a file is delivered to the victim’s computer.

We have identified two approaches to redirecting the potential victim to a page which marks the start of the malware infection.

The site impersonates a famous person or utilizes a popular topic and is well positioned in search engines’ results. An example of such page would be:

In English the article’s title would be as follows: “List of the richest Poles 2022 profiles of polish billionaires and millionaires.

What makes it even more interesting is that the sites themselves don’t have any “readable” content. They serve solely the purpose of, based on the user-agent of the user, delivering an ISO file — without any kind of interaction from the user. It is achieved through a simple redirect (code 302) implemented in the server’s configuration and sending the file by means of content disposition.

Upon entering the site, an ISO file with an executable file inside is downloaded on the visitor’s computer. Choice of such method of delivery is no coincidence — it serves as an evasion of a common security policy which is blocking downloading of executable files from the internet. ISO files, due to their size and entropy, are oftentimes not scanned by antivirus software. Currently they are naturally executed and mounted in the Windows OS, which leads to easy delivery of the EXE file right to the user. For the attack to succeed only a click to run the software is needed. The attacker achieves this using the target’s determination to read the site’s content or watch a desired movie.

The site the user lands on is hidden behind Cloudflare’s infrastructure. The SSL certificate has been issued by Let’s Encrypt which is already a standard criminals’ behavior. Completely unnoticeable for usual users, but a definite red flag for cybersecurity analysts.

Date the certificate was issued on can give us a hint when the site and campaign were prepared.

Through advertisements of new, exciting movies Facebook users are encouraged to download a malicious file. An example of that method is an ad of the movie Black Panther 2 from November 1st 2022 which leads to the page:

A site in the sites.google[.]com domain is a great disguise. It does not contain anything alarming, the scanning engines and Google, the supplier of the service, do not identify a threat in the contents. The domain itself is considered trusted by most security solutions and usually downloading files from it wouldn’t be blocked. However, the link hidden behind the “DOWNLOAD NOW” button leads to a newly created domain

The SSL certificate for the site suggests that the configuration is rather new.

Similarly to the first delivery method, the infrastructure is hidden behind Cloudflare and by using Let’s Encrypt certificates.

Scenario 1

Scenario 2

Basic analysis of information about the files shows a range of elements used by malware creators:

One could think that some of those characteristics are a must have for every installer — creating and deleting Volume Shadow Copies or modifying registry entries. It’s not the case this time — restore points are all deleted quietly. Changes made in the registry allow the attacker to exclude a selection of extensions from Windows Defender detection. The excluded files are .scr, .cmd, .dll and .exe which results is practically fully disabling threat protection.

Now, let’s see what happens next. The installer drops quite a lot of files:

Analysis of these files implies that they are not harmful. But is it really the case? One of the dropped files is PowerRun.exe which is a portable, free program for running regedit.exe, cmd.exe or other local software with TrustedInstaller/Nt Authority/system privileges. Sounds concerning as it should.

After looking into the whole range of dropped files it turned out that one of them is php.exe with all the files required for it to function properly. The attackers have prepared a package which installs a complete environment for the PHP scripting language to run in. Additionally, the package contains a DLL file which decrypts a “mystery” TXT file.

After decoding the TXT file, the final PHP script appears and is executed from a recently installed and run PHP interpreter that was mentioned earlier.

To our surprise we encountered malware carefully written in PHP. Script abiding the rules of OOP, with accurate comments describing the contents and an event logging module. Unbelievable? Maybe. Impossible? As the analysis shows — not really. Further inspection of the code proved that it’s a typical RAT with Infostealer functions.

The command and control servers described in the configuration vary among the analyzed samples.

The program connects with its C2 server over the HTTPS protocol. Each victim receives a personal ID ($machineId) and communicates through a unique URL.

Data is transferred with the method POST, files with the method UPLOAD.

Clear code reveals how much the program is focused on stealing information (passwords, cookies and tokens affiliated with ads monetization as well as with the general activity on the site) from the users’ Facebook accounts. At first, it would be easy to conclude that it’s malware made strictly for stealing user data from this particular social media.

Analyzing other versions of the program showed that the malware is still in development. Elements that emerged later on are functions allowing the attackers to steal from cryptocurrency wallets (during the analysis, the functionality was commented out which suggests, that it is work in progress) and cryptographic functions frequently used in ransomware.

“Agent PHP” — which is how we tentatively named the malware — is a RAT written in PHP that for it to function needs more than 100MB of additional software (PHP interpreter and installer). For us it’s an intriguing phenomenon in our cyberspace. Until now, while analyzing malicious software we were looking for new techniques created by cybercriminals which, in an exceptional way, attempt to gain advantage over any kind of threat protection. Here we encountered a simple but effective implementation of various attack techniques with the use of a legal installer. And all of it happens with a simple click by the user. This particular approach could be really tough to detect as malicious software by antivirus systems.

Through careful study of the emerging campaigns and code alterations we reckon the creator has great ambitions. He aims to reach his goals by the simplest means and such tactic can prove to be highly effective.

Related posts:

I know this may sound a bit deceiving and illegal but trust me it’s not. Having more take home pay is not always possible but having more money after all the bills are paid is the same as giving…

First principle thinking is the scientific questioning of various preconceived statements, which are generally assumed to be scientific. It does not assume preconceptions and biasness in its…