In today’s post we discuss emerging techniques that attackers are using to hide the presence of malware. In the example we discuss below, the attacker’s goal is to make everything look routine to an analyst so that they do not dig deeper and discover the presence of malware and what it is doing. We describe how this technique works, and we touch on the psychological underpinnings of the technique the attacker is using.

Wordfence detects the malware that is described in this post, even though it may be missed by a human security analyst doing a manual inspection. We have provided detection for this malware variant since 2019, for both our free and Premium Wordfence customers.

Novel Malware Loading Technique Analysis

One of the more sophisticated mechanisms that malware creators use consists of an innocuous-looking “loader” file that includes or executes a more traditional backdoor that is compressed, obfuscated, or remotely-retrieved and thus may have no detectable patterns in the file body.

We stumbled upon a clever malware sample worth sharing. In this file, malicious code was being generated in real time using a simple but well-hidden obfuscation technique in what looked like a perfectly normal and harmless PHP class.

The code abstraction looked almost perfect, each class method was well commented, the business logic looked reasonable, and the code was following the latest code quality standards.

One of the typical “tells” of malware is that a lot of it is poorly or haphazardly written using procedural programming practices, and much of it is obfuscated. This malware was well-written using Object-Oriented programming practices, which implies that it was created by a professional developer, and doesn’t appear to be obfuscated. All of these factors contribute to the file being obfuscated in a very effective way: It appears normal and would take a seasoned security analyst to spot anything suspicious about it.

In his research and writings, Nobel laureate Daniel Kahneman describes a ‘System 1’ and ‘System 2’ mind. Your System 1 mind performs routine tasks. System 2 is your analytical mind, which only engages when the routine is broken or brought into question. An inexperienced analyst, looking at this code might not engage their System 2 mind because everything looks as it should be. It looks routine.

The class describes itself as a simple mime type definitions extension service and its init method seems normal:

However, with malware things might not always be as they appear.

If we take a closer look at the getMimeDescription method:

We notice that the selected indices in the $indicies variable are a bit suspicious.

    2 => wp-content
    6 => themes
    5 => allegro-theme
    3 => includes

In other words, the getMimeDescription method will generate the following path:

wp-content/themes/allegro-theme/includes/admin/buttons-formatting/buttons/btn-accordion1.png

Part of the magic happens in the createMarker method:

The createMarker method returns the following strings depending on whether or not the $type parameter passed to it from the createExtension method is set to 0, 1, or 2:

   [0] => file_get_contents
   [1]  => gzinflate
   [2] => eval

It uses a predefined range of alphabet letters from a – z in the $alpha variable:

$alpha = range('a', 'z');

This function is actually using a standard for loop to generate commonly used suspicious functions while evading detection and is the most obviously obfuscated portion of the code.

For example, in case 2 we have:

And in the $alpha variable we have every letter from the alphabet tied to a number:

Since the for loop is incrementing the array index of $numbers by 1 on every loop it ends up appending the following to the $marker variable::

5(e), 22(v), 1(a), 12(l) which translates to: eval

Such simple but elegant obfuscation techniques demonstrate how malware code can be concealed in unexpected ways.

The next interesting part starts when the prepareDir method is called.

It runs on the output of the getMimeDescription method:

The code above uses join to set the value of $markers to create_function and calls createExtension, which calls  createMarker and places the following code in the $extension variable:

$mime=file_get_contents($mime);$mime=gzinflate($mime);$mime=eval($mime);

These are then combined with create_function in the $dircreator variable in order to execute the malicious code hidden in the btn-accordion1.png file.

The PNG file btn-accordion1.png contained compressed(gzdeflated) malware code to act as an additional layer of obfuscation which can be difficult to detect using traditional techniques. This code, when gzinflated and base64-decoded, reveals a more obviously malicious, but still professionally developed backdoor used to interact with command and control (C2) infrastructure belonging to the attacker.

Below is a sample of btn-accordion1.png file original contents:

1st Layer of obfuscation(gzdeflated):

2nd Layer of obfuscation(base64 encoded):

Deobfuscated:

This reveals 3000+ lines of professionally written malware code, supporting a collection of remote commands including code execution, updates, and files access:

Conclusion

Malware creators continuously develop new obfuscation techniques in order to hide malicious indicators. Even common malware can evade detection if it has clever and unexpected obfuscation. In such cases a deeper look is required in order to identify and understand the malware. Analysts would also do well to keep their System 2 mind engaged, as Kahneman would put it, when analyzing suspected malware.

Malware evolves, but so do the techniques used by malware researchers. Our team continues to develop new technologies, like our machine learning initiative, that speed up the identification of emergent malware variants that may be more difficult for analysts to detect. Wordfence detects the malware mentioned in this post, and has included this detection since 2019, for our free and Premium Wordfence customers.

Good hunting!