98.172.253.136-2018-08-03a

Apache web server redirector

Creates a .htaccess file if the compromised host is not blacklisted, Undoes the work that the Vigilante Malware Detector did.

Apparently there's a less general un-vigilante in use in the wild.

Origin

IP Address 98.172.253.136

Looks like a Cox Communications residential IP address.

NetRange:       98.172.192.0 - 98.172.255.255
CIDR:           98.172.192.0/18
NetName:        NETBLK-HR-CBS-VOIP-98-172-192-0
Customer:       Cox Communications (C01777751)
RegDate:        2007-11-13
Updated:        2007-11-13

p0f3 says it runs Linux:

[2018/08/01 05:26:27] mod=syn|cli=98.172.253.136/34838|srv=162.246.45.144/80|subj=cli|os=Linux 3.11 and newer|dist=11|params=none|raw_sig=4:53+11:0:1424:mss*20,7:mss,sok,ts,nop,ws:df,id+:0

Download

Apparently, the attacker thought they downloaded to a Web Shell by oRb ("WSO" or "FilesMan") web shell. The download was to URI /blog/wp-content/themes/twentytwelve/404.php, a common place to stash web shells, and it included HTTP parameters "pass", "action" and "p1". The "action" parameter had the value "RC", which would cause WSO to evaluate PHP code arriving in the "p1" parameter. The "p1" parameter had PHP code with a base64-encoded string, and a call to eval() builtin to execute the decoded string.

Deobfuscation

The code putatively sent to WSO only had a single layer of base64 encoding. Presumably this encoding just keeps simple pattern-matching IDS from triggering, or maybe it just keeps web servers, PHP interpreters and WSO code from having problems with unusual characters. Hard to say.

The deobfuscated PHP source has another base64 encoded string in it.

Analysis

The deobfuscated code does two things:

1. Conditionally write out a .htaccess file, which would probably end up in a directory /blog/wp-content/themes/twentytwelve under Apache's DocumentRoot directory.
2. Rename all files where? that have a ".suspected" file name suffix to not have the ".suspected" suffix.

This last action is the most interesting. There's a Vigilante Malware Cleaner working compromised WordPress sites that renames suspicious files to have ".suspected" suffix. The Vigilante code changes any file names that the Vigilantes deem to contain malware to have a ".suspected" suffix. The deobfuscated code undoes that change for files in its directory.

For every file name suffix it removes, the code writes out a line like this:

404.php.suspected size 10562    404.php

The attacker would know which files got renamed, and based on the size, what interest they might have.

.htaccess file

The code checks for the compromised host's presence in two blacklists: dns.dbl.spamhaus.org, and google.com safebrowsing. If the compromised host name does not appear in either blacklist, the code base64-decodes a string.

The base64-encoded string in the deobfuscates source would get written into a file named .htaccess. If this write works, it echoes the string "#####good#####", which would let the attacker know that a .htaccess file is in place.

Only Apache httpd uses .htaccess, nginx and IIS do not. The file itself is oddly formatted, with all lines having 30 leading tab characters, and at least 30 trailing tab characters. I guess is that the tab characters make a human looking at the .htaccess file believe that it has no contents, and maybe ignore it. Apache will read it correctly, it has visual camoflage to divert human readers.

This .htaccess makes Apache give a 403 HTTP code to googlebot, bingbot and Baiduspider User Agent strings. Apache would redirect any HTTP requests with a Referer in a list of 33 very popular domain names to to http://yourstockexpert.su with a 301 HTTP status code.

Strangely, yourstockexpert.su not known to dbl.spamhaus.org

yourstockexpert.su DNS name has an A record for 185.173.179.41. One of the yourstockexpert.su DNS servers is also at that IP address.

yourstockexpert.su seems freshly registered by a Russian registrar:

domain:        YOURSTOCKEXPERT.SU
nserver:       ns1.yourstockexpert.su. 185.179.188.50
nserver:       ns2.yourstockexpert.su. 185.173.179.41
state:         REGISTERED, DELEGATED
person:        Private Person
e-mail:        andzhelakondrychenkova@mail.ru
registrar:     REGRU-SU
created:       2018-07-28T19:03:30Z
paid-till:     2019-07-28T19:03:30Z

185.173.179.41 seems to be owned by GalaxyStar, a Russian ISP:

org-name:       GalaxyStar LLC
org-type:       LIR
address:        Lunacharsky st., 185
address:        620026
address:        Yekaterinburg
address:        RUSSIAN FEDERATION
admin-c:        EY1252-RIPE
tech-c:         EY1252-RIPE
abuse-c:        AR37966-RIPE
mnt-by:         RIPE-NCC-HM-MNT
mnt-by:         GalaxyData
created:        2016-10-17T12:18:43Z
last-modified:  2017-11-27T17:19:53Z
person:         Eduard Yamaltdinov
address:        Lunacharskogo, 185, office 305
address:        620026
address:        Yekaterinburg
address:        RUSSIAN FEDERATION

Geolocators put 185.173.179.41 in downtown Yekaterinburg, Russia, so the whois is consistent.