Security researchers at SiteLock have discovered that hundreds of websites based on WordPress, Joomla and CodeIgniter have been infected with malware that masquerades as legitimate ionCube-encoded files.
ionCube is an encoding technology used to protect PHP software from being viewed, changed, and run on unlicensed computers.
The experts were analyzing an infected WordPress website when discovered a number of suspicious obfuscated files – such as “diff98.php” and “wrgcduzk.php” – appearing almost identical to legitimate ionCube-encoded files. Further analysis conducted revealed that hundreds of websites were infected by the same ionCube Malware.
“While reviewing an infected site, the SiteLock Research team found a number of suspiciously named, obfuscated files that appear almost identical to legitimate ionCube-encoded files. We determined the suspicious ionCube files were malicious, and found that hundreds of sites and thousands of files were affected.” reads the analysis published by SiteLock.
“Overall, our investigation found over 700 infected sites, totalling over 7,000 infected files.”
Further analysis revealed that attackers also compromised Joomla and CodeIgniter websites. Threat actors packed their malware in a manner that appears ionCube-encoded files.
The malicious code could theoretically infect any website based on a web server running PHP, once decoded, the fake ionCube files compose the ionCube malware.
“While there’s still some degree of obfuscation, the presence of the $_POST and $_COOKIE superglobals and the eval request at the end of the file reveal its true purpose: to accept and execute remotely supplied code.” continues the analysis. “It looks like the remote code supplied to this file is further obfuscated and there may be some sort of access control implemented, judging by the GUID-formatted string present.”
The researchers also provided recommendations to mitigate the ionCube Malware, they suggest administrators check the presence of ionCube-encoded files as an indicator of compromise.
If an infection is detected, the scanning of the entire site is recommended, to completely eliminate the threat, the researchers also suggest the adoption of a web application firewall (WAF).
“If you find indicators of this infection, we strongly recommend having your site scanned for malware as soon as possible, as this malware seldom appears on its own.” concluded the analysis.
“This is especially important if you are using an ionCube-encoded application, as manually differentiating the malicious files from the legitimate ones is difficult, and it is common to see up to 100 slightly different variants of this malware on a single site. “