Whitespace obfuscation: PHP malware, web shells and steganography
Web shells are malicious entry-points used by crooks to interact with the server-side and execute commands remotely. In recent years, these kinds of web-based, shell-like interfaces have been improved and have become more stealthy, thus evading internal defenses and avoiding their detection.
This backdoor is specifically designed to provide subsequent access to a site or system. When the malicious code is executed on a target system, it can open the “doors” facilitating access to the attacker and allowing the bypass of the common authentication flow.
Learn Vulnerability Management
Although there are different kinds of web shells depending on the nature of the target system, we are going to analyze a PHP web shell that leverages the steganography technique to make it hard to detect and allowing the payload persistence for a long time.
Figure 1: High-level diagram of a scenario using a web shell as an initial entry point.
As observed, criminals used known vulnerabilities to upload the malicious code into the remote web server to get code execution. After that, it’s possible to read and write on the server filesystem, upload and download files and also pivot into the internal network, opening the internal doors and then exposing the internal assets.
Steganography to hide the backdoor
A kind of PHP web shell was found by researchers from Sucuri Team in February 2021 that takes advantage of the usage of CSS files that revealed 56,964 seemingly empty lines containing combinations of invisible tabs (0x09), space (0x20) and line feed (0x0A) characters, which when converted to the binary representation are part of an executable JavaScript code.
Figure 2: Payload hidden in CSS files using steganography.
During the investigation, a file called license.php highlighted the researcher’s attention due to a strange block of code found during his analysis. In detail, the license text is placed inside a multi-line PHP comment. Nonetheless, on the 134 a gap between the comments with PHP code is visible.
Figure 3: PHP code along with blocks of comments.
This is not a new technique used by criminals to bypass detection. The PHP code is malicious, but its intent is not executing any kind of web shell payload or code execution.
Whitespace decoder
To understand how this piece of code works, we are going to isolate part of the code in a small piece as presented below.
Figure 4: PHP whitespace decoder.
In short, the code reads the file in chunks of eight chars and converts tabs (nine) and spaces (32) into ones and zeroes. After that, the output is then converted to a decimal number and a char using the chr() function. Using this approach, each octet of whitespaces is converted into a visible string. Finally, the function ‘base64_decode(str_rot13(gzdecode(…‘. is used to decode completely and execute the final payload.
Another way found on the initial code used by the PHP loader is a backup file created with a file name “ “ (just a space) and then executed. With this approach in place, the file name is less visible in file listings and evades detection. After execution, the file is deleted.
The license.php file contains the whitespaces (the final payload) at the end of the file - as presented in Figure 4.
Figure 5: Hex view of the last line of license.php file with the hidden payload.
After executing the script as previously explained, it was possible to reveal the final payload and essentially transform the whitespaces into executable PHP code, the PHP web shell.
Figure 6: Decoded web shell using steganography technique.
From this point, and with a bit of steganography, the web shell is executed on the server-side, and criminals can access the remote server, execute arbitrary commands, escalate privileges and so on.
Learn Vulnerability Management
Dealing with whitespace obfuscation
Obfuscation techniques are often used to hide code and make analysis and detection harder. There are dozens of popular kinds of obfuscations, and criminals are looking for new ways to avoid detection have persistent payloads. By using the steganography approach, criminals can hide the malicious code even under the human analysis as the malicious code is just a few lines of whitespaces when the target file is opened using a common text editor.
In this way, there is a set of activities that can be used to prevent these kinds of attacks:
- Prompt patching of webserver and plugin vulnerabilities
- Reduce the use of plug-ins (and third-party vulnerabilities)
- File integrity monitoring
- Malware scanning/endpoint protection software
- Network segmentation prevents lateral movement
- Server configuration review and hardening.
Sources:
webshell using steganography, Sucuri
zerologon and webshells, Segurança-Informática
Learn Vulnerability Management
Build your vulnerability assessment and management skills with dozens of courses. What you'll learn- Vulnerability scanning
- Classifying and prioritizing
- Patching and mitigating
- Building a program
- And more
In this Series
- Whitespace obfuscation: PHP malware, web shells and steganography
- The most popular binary exploitation techniques
- Roadmap for performing an Active Directory assessment
- The importance of asset visibility in the detection and remediation of vulnerabilities
- Digium Phones Under Attack and how web shells can be really dangerous
- vSingle is abusing GitHub to communicate with the C2 server
- The most dangerous vulnerabilities exploited in 2022
- Follina — Microsoft Office code execution vulnerability
- Spring4Shell vulnerability details and mitigations
- How criminals are taking advantage of Log4shell vulnerability
- Microsoft Autodiscover protocol leaking credentials: How it works
- How to write a vulnerability report
- How to report a security vulnerability to an organization
- PrintNightmare CVE vulnerability walkthrough
- Top 30 most exploited software vulnerabilities being used today
- The real dangers of vulnerable IoT devices
- How criminals leverage a Firefox fake extension to target Gmail accounts
- How criminals have abused a Microsoft Exchange flaw in the wild
- How to discover open RDP ports with Shodan
- Time to patch: Vulnerabilities exploited in under five minutes?
- New Sudo flaw used to root on any standard Linux installation
- Turla Crutch backdoor: analysis and recommendations
- Volodya/BuggiCorp Windows exploit developer: What you need to know
- AWS APIs abuse: Watch out for these vulnerable APIs
- How to reserve a CVE: From vulnerability discovery to disclosure
- SonicWall firewall VPN vulnerability (CVE-2020-5135): Overview and technical walkthrough
- Top 25 vulnerabilities exploited by Chinese nation-state hackers (NSA advisory)
- Zerologon CVE-2020-1472: Technical overview and walkthrough
- Unpatched address bar spoofing vulnerability impacts major mobile browsers
- Software vulnerability patching best practices: Patch everything, even if vendors downplay risks
- What is a vulnerability disclosure policy (VDP)?
- Common vulnerability assessment types
- Common security threats discovered through vulnerability assessments
- Android vulnerability allows attackers to spoof any phone number
- Malicious Docker images: How to detect vulnerabilities and mitigate risk
- Apache Guacamole Remote Desktop Protocol (RDP) vulnerabilities: What you need to know
- Linux vulnerabilities: How unpatched servers lead to persistent backdoors
- Tesla Model 3 vulnerability: What you need to know about the web browser bug
- How to identify and prevent firmware vulnerabilities
- Will CVSS v3 change everything? Understanding the new glossary
- URGENT/11 vulnerability
- 32 hardware and firmware vulnerabilities
- The Zero Day Initiative
- CVE-2018-11776 RCE Flaw in Apache Struts Could Be Root Cause of Clamorous Hacks
- XML vulnerabilities are still attractive targets for attackers
- Broadpwn Wi-Fi Vulnerability: How to Detect & Mitigate
- Mobile Systems Vulnerabilities
- 10 Security Vulnerabilities That Broke the World Wide Web in 2016
- Most Exploited Vulnerabilities: by Whom, When, and How
- Exploiting CVE-2015-8562 (A New Joomla! RCE)
- Security vulnerabilities of voice recognition technologies
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Vulnerabilities
Vulnerabilities
