Researchers have found out that hundreds of websites have been infected with malware that is made looking like legitimate IonCube-encoded files.
The cybersecurity researchers found the malicious files in core directories of a WordPress site, featuring naming patterns associated with malware: diff98.php and wrgcduzk.php. Because of the obfuscated techniques used by the cybercriminals files appear as encoded with IonCube.
IonCube represents an old and powerful PHP obfuscation technology that can be used to scramble text-based PHP files to hide the intellectual property. Due to licensing costs, IonCube isn’t used for malicious purposes.
Cybercriminals found a method to pack their malware in a way that resembles with IonCube-encoded files. The initial infection was spotted on a WordPress, Joomla, and CodeIgniter sites.
During our ethical hacking test, our cybersecurity researchers found that the malware is likely to run on any web server running PHP, and could hide in plain sight by using filenames such as “inc.php” and “menu.php.” Researchers discovered over 7,000 infected files and said that over 700 sites were compromised.
Once decoded, the fake IonCube files turn into the malware itself, which still contains some obfuscation, that is being used to avoid any cybersecurity solution like a reliable web antivirus.
Researchers easily disabled these obfuscation techniques because of the presence of the $_POST and $_COOKIE superglobals and the eval request at the end of the file that reveals its real purpose: to accept and execute remotely supplied code.
The remote code supplied to this file is further obfuscated, and there may be some access control implemented, showing that cybercriminals are making tremendous efforts to avoid being detected by various antivirus solutions.
For any site administrators who haven’t intentionally installed IonCube-encoded files but do find such files on their servers, we recommend them to opt for a reliable cybersecurity solution. If an infection is detected, the scanning of the entire site with a secure cybersecurity solution is supported, to eliminate the threat.
Remember to always protect your systems by backing up their data and using strong passwords. It is also recommended the use of antivirus for Mac or antivirus for Windows depending on which OS do you use.