Collaborate Disseminate
It’s not very often that we see abandoned components being used on a website — but when we do, it’s most often because the website was exhibiting malware-like behavior and we were called to investigate and clean up the site.
Old and abandoned plugins … Continue reading The Dangers of Using Abandoned Plugins & Themes
Since April, our team has been tracking the spread of a PHP malware dropper. It’s impacting unsuspecting victims who thought they were downloading a mapping software to monitor the spread of the COVID-19 pandemic.
While the attack is likely spread thr… Continue reading Malware Dropper Takes Advantage of COVID-19 Pandemic
During malware analysis, we regularly find variations of this injected script on various compromised websites: .
The variable “_0x446d” assigns hex encoded strings in different positions in the array. If we get the ASCII representation of the variable… Continue reading Legacy Mauthtoken Malware Continues to Redirect Mobile Users
A large majority of the malware we find on compromised websites are backdoors that allow an attacker to maintain unauthorized access to the site and execute whatever commands they want.
Another common scenario includes malware which is directly inject… Continue reading Backdoor Shell Dropper Deploys CMS-Specific Malware
Malicious pop-ups and redirects have become two extremely common techniques used by attackers to drive traffic wherever they want.
During a recent investigation, we came across an obfuscated pop-up script leveraging baidu[.]com search results to redi… Continue reading Malicious Pop-up Redirects Baidu Traffic
Our team recently came across a malicious script used on a Magento website titled gstaticapi, which targeted checkout processes to capture and exfiltrate stolen information.
To obtain sensitive details, the malware loads external javascript whenever t… Continue reading Magento Credit Card Stealing Malware: gstaticapi
Short scripts that deliver malware to a website are nothing new, but during a recent investigation we found a script using hastebin[.]com, which is a domain we see used infrequently. The script was found writing malicious contents into an image direct… Continue reading Malicious One-Liner Using Hastebin
Initially released December 2015, PHP 7 introduced a multitude of performance and security improvements. Approximately 43.7% of websites across the web currently use PHP 7.x, making it an incredibly popular scripting language — which is likely why att… Continue reading Using assert() to Execute Malware in PHP 7 Environments
Our team recently stumbled across an interesting example of malicious code used to add an arbitrary user inside WordPress.
The following code was detected at the bottom of the theme’s functions.php. It uses internal WordPress functions like wp_create_… Continue reading Persistent WordPress User Injection
During a website remediation, we recently discovered a new version of a Magento credit card stealer which sends all compromised data to the malicious domain cdn-filestore[dot]com. My colleague Luke Leal originally wrote about this malware in a blog po… Continue reading CDN-Filestore Credit Card Stealer for Magento