From the defender’s perspective ransomware is the biggest threat in the modern cybersecurity landscape. From a criminal perspective it’s a highly lucrative form of cybercrime, and perpetrators face only negligible chances of being prosecuted with less than 20 arrests reported in 2020 [1]. The highest amount of ransom ever paid by a single company for a single incident is $40 million US dollars [2][3], however, the cost of a ransomware attack is not limited to ransom payments. Companies can incur millions more in remediation costs, service downtime, legal settlements, higher insurance premiums, and potentially suffer long-term deleterious effects to their brand reputation [4]. One report estimates that 74% of ransomware payments go to Russian backed groups; more than $400 million USD in 2021 [5]. Another report from blockchain research group Chainalysis suggests that nearly $700 million USD in ransomware ransom was paid in 2020 [6] [7]. Not all ransomware strains…
Malware Analysis
In part 1 of PHP Malware series, we learned what a web-shell is and learned some basic ways that an attacker can build web-shell in PHP. In part two we took a look at how web-shells can be hidden using base 64 encoding and AES encryption techniques. In part three we’re gonna look at other crafty ways that an attacker could obfuscate PHP web shell or other malware such as a stealer which would exfiltrate sensitive data as it’s processed by a website. Cyber criminals want to avoid malware being found, and when it is found, they want it to be difficult for a researcher to discover what the malware is doing. An an attack technique is novel, attackers don’t want defensive security researchers to be able to use the technique information to build defensive strategy or make the information public. In order to demonstrate the skill’s of reverse engineering…
In part 1 of this series on PHP malware, we learned what a web shell is and looked at some basic examples. Basic web-shells are not too difficult to find since there are only so many commands that can be used to execute a string as a shell command. However, most attackers would not include a basic web shell such as the ones discussed in the first video. They know it would be much too easy to find and dwell time would be short. Instead the attacker will encode or encrypt the malware so it is more difficult to find. Also, there is an important difference between encrypting and encoding. Before we look at some more advanced ways to hide malware, let’s understand the difference between these two terms. What is Encoding? Encoding refers to the process of converting data from one form to another. Encoding does not normally imply…
In this this series of articles and videos, I will explore some PHP malware code that has been publicly published. All the samples discussed are derived from a GitHub repository maintained by marcocesarato. The advice from Syspect CyberSecurity Consulting is to always maintain solid web-server security through hardened configuration and monitoring, and vulnerability scanning both internal and external surfaces with a tool such as CISOfy’s Lynis or Greenbone’s GVM. For an example of solid LAMP stack server security you can visit the Syspect’s VPS Deploy WordPress GitHub repository which is a tool for automatically deploying a WordPress website on a hardened Linux VPS Server. If you don’t want to secure your own WordPress installation, you can hire a trained security consultant such as Syspect CyberSecurity Consulting, or you can use another 3rd party managed hosting provider. PHP is a scripting language which means its source code is usually in human…