SiteLock security experts have found that hundreds of websites based on WordPress, Joomla and CodeIgniter got infected by the ionCube malware.
The ionCube malware is an encoding technology used for protecting PHP software from being viewed, changed, and run on unlicensed computers.
While analyzing an infected WordPress website, the experts found many suspicious files, such as “diff98.php” and “wrgcduzk.php”, disguised as legitimate ionCube-encoded files to trick victims. According to the researchers’ analysis, hundreds of websites were infected by exactly the same ionCube malware.
“While reviewing an infected site, the SiteLock Research team found a number of suspiciously named, obfuscated files that appear almost identical to legitimate ionCube-encoded files. We determined the suspicious ionCube files were malicious, and found that hundreds of sites and thousands of files were affected.” the SiteLock analysis states.
“Overall, our investigation found over 700 infected sites, totalling over 7,000 infected files.”
Apart from the sites based on WordPress, deeper analysis of the malware revealed that hackers compromised Joomla and CodeIgniter websites as well.
Theoretically, the parasite could infect any website based on a web server running PHP, once decoded, the fake ionCube files compose the ionCube malware.
“While there’s still some degree of obfuscation, the presence of the $_POST and $_COOKIE superglobals and the eval request at the end of the file reveal its true purpose: to accept and execute remotely supplied code.” the analysis reads.
“It looks like the remote code supplied to this file is further obfuscated and there may be some sort of access control implemented, judging by the GUID-formatted string present.”
In addition, the security experts advised administrators to check the presence of ionCube-encoded files on the system as an indicator of compromise.
In case an infection is detected, the scanning of the entire website is highly recommended, to completely eliminate the threat. Also, the adoption of a web application firewall (WAF) is obligatory.
“If you find indicators of this infection, we strongly recommend having your site scanned for malware as soon as possible, as this malware seldom appears on its own.” the analysis concluded.
“This is especially important if you are using an ionCube-encoded application, as manually differentiating the malicious files from the legitimate ones is difficult, and it is common to see up to 100 slightly different variants of this malware on a single site. “
