![]() I’ve previously written about malware that reverses security hardening measures enacted either manually by the owner, or through the use of a security plugin installed in WordPress. What attackers may find problematic with reverse security hardening is that a security plugin that monitors files can detect any changes and alert the owner via email notification or within the WordPress dashboard. Unfortunately, PHP malware exists which solves this problem for the attacker by immediately disabling the most commonly used security plugins and preventing them from being reactivated in the WordPress dashboard. If a user tries to reactivate one of the disabled security plugins, it will momentarily appear to activate only for the malware to immediately disable it again. So-called run-only scripts what we might today call bytecodeare poorly documented and difficult to analyze. ![]() This cryptominer Trojan spread unchecked for some five years. This GIF shows a WordPress installation with a number of activated plugins, four of which are popular security plugins and two non-security plugins. For more than five years, macOS users have been the targets of a sneaky malware operation that used a clever trick to avoid detection and hijacked the hardware resources of infected users to mine cryptocurrency behind their backs. This behavior will prevail until the malware is fully removed from the compromised environment, making it more difficult to detect malicious behavior on the website. An AppleScript feature designed to compress scripts into pre-compiled form has allowed bad actors to evade security researchers for years. The animation clearly demonstrates how non-security components are unaffected by the PHP malware but the four security plugins are disabled. Run-only AppleScripts are surprisingly rare in the macOS malware world, but both the longevity of and the lack of attention to the macOS.OSAMiner campaign, which has likely been running for at least 5 years, shows exactly how powerful run-only AppleScripts can be for evasion and anti-analysis. This behavior will prevail until the malware is fully removed from the compromised environment, making it more difficult to detect malicious behavior on the website. It starts by assigning the website’s root directory to DIZIN to help obfuscate loading the core WordPress file wp-load.php: if ( ! defined ( ' DIZIN ' ) ) The malware was found within the malicious file. The injection causes wp-load.php to load the malicious file. wp-includes/IXR/class-IXR-cache.php through the use of require_once. Since wp-load.php is run on every page load on a WordPress website, any reactivated plugins would be easily disabled automatically upon the next page load - regardless of whether it is from the same user or a new visitor on the website’s homepage. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |