Looks like simppelli really does exist as a WordPress theme. This, however, is a kinked version of "simppeli", modified in lots of nonsensical ways, and containing a grab bag of miscellaneous malware.
The attackers thought they were dealing with /wp-admin/update.php
,
in "upload-theme" mode.
They downloaded a file named simppelli.zip
.
A real WordPress install would have unzipped that file in the right place
for it to act as a theme.
107.175.218.241 has no A DNS record.
whois
says it's a ColoCrossing IP address:
NetRange: 107.172.0.0 - 107.175.255.255
CIDR: 107.172.0.0/14
NetName: CC-17
OriginAS: AS36352
Organization: ColoCrossing (VGS-9)
RegDate: 2013-12-27
Updated: 2013-12-27
OrgName: ColoCrossing
OrgId: VGS-9
Address: 325 Delaware Avenue
Address: Suite 300
City: Buffalo
StateProv: NY
PostalCode: 14202
Country: US
RegDate: 2005-06-20
Updated: 2015-09-16
traceroute
agrees.
p0f3
says that Linux 3.1-3.10 runs that IP address.
The README.md
file included in the kinked theme .zip file
has it as simppeli theme version 1.1.0.
Version 1.1.0 constitutes the latest version of the theme.
The theme's original .zip file has 39 files with a total of 117678 bytes, unzipped. The kinked .zip file has 39 files, named and dated (2017-02-05 12:47) exactly as the original .zip file. The attacker went to some pains to cover where the bad code resides. However, the kinked .zip file unzips to 191267 bytes. Ten files' contents differ between original and compromised .zip files.
404.php
- completely changed, echoes "did not find,did not find"footer.php
- a simple file uploaderinc/custom-header.php
- a simple "eval($_POST['something']);" style backdoorinc/extras.php
- same file uploader asfooter.php
, concealed in PHP dropperinc/jetpack.php
- the GetDomains recon malwareinc/template-tags.php
- probably a ring.php web shellsingle.php
- heavily mutated WSO web shelltemplate-parts/content-search.php
- changes user's login to have WordPress admin privilegestemplate-parts/content-single.php
- changes user's login to have WordPress admin privilegestemplate-parts/content.php
- changes user login to have WordPress admin privileges
The PHP dropper code used by inc/extras.php
appears in
lots of other malware
and probably deserves a bit of analysis all its own.
This is just a grab bag of crap.
Why have the same file uploader appear once in plain text,
the second time in a dropper used by lots of other malware?
Why does the GetDomains recon malware appear?
Why does template-parts/content.php
inject code into both WordPress and Joomla files,
when it appears in a WordPress template?
Why do template-parts/content-search.php
,
template-parts/content-single.php
and template-parts/content.php
all have essentially the same code in them?
I'm quite confused by this.
There's no underlying theme or obvious motivation for including
this variety of malware.
There's no obvious reason for including duplicates.
One other puzzler that isn't quite so simple. template-tags.php
is clearly the same obfuscating method as the ring.php backdoor.
It's borrowed the comments and function names of some random WordPress file,
and changed them to hold gzipped, Base64-encoded, text representation
of some code.
The Base64-encoded, gzipped code representation is disguised as a pre-composed HTML <img> tage
with in-line image data.
Upon an HTTP request for template-tags.php
,
the Base64-encoded text representation gets extracted from the "in-line image data".
If the HTTP request invoking template-tags.php
has the correct
value of parameter named "l__l_", that code gets eval'ed.
None of the well-known passwords "root", "pass" or "avto",
or the ring.php
password of "G0YgIaXqx" decodes this.
Other places this one shows up around the web: