In the realm of cybersecurity, malware reinfections pose a significant problem. Recently, BitNinja's team dedicated to threat management identified a particular type of malware responsible for a considerable number of these frequent reinfections.



This topic aims to highlight this malware variant's operation and its connection to other malicious files like blue.php.

The malware mechanism operates on three significant files: index.php, stylec.php, and styleu.php. It is essential to note that the file styleu.php has exceptional uses and is rarely present in this malware. Upon examining the function of each file, we can deduce the following:

• index.php - continuously injected with malicious code by the malware, which is detected and removed every time.

• stylec.php - used to copy its contents to the index.php file, facilitating the continuous injection of malicious code.

• styleu.php - used in rare cases when the malware needs to stop the current script. In other words, it serves as the malware's "RED BUTTON."

Every second, the malware operates in an endless loop unless styleu.php is missing or untraceable. For it to function, two files need to be kept alive - stylec.php and index.php, both containing the same malicious content. The malware scanners find it difficult to quarantine the files as one file is quarantined while still creating the other and injecting malicious code into it. This leads to a vicious cycle.

Based on their analysis, BitNinja suspects a correlation between blue.php and this malware. Thus, it is possible that blue.php is responsible for uploading the "File infector" malware. Moreover, blue.php is found on the affected servers in 99% of cases.

Blue.php commonly receives two requests:

• A GET request to verify the file's existence
• A POST request to inject a WebShell into a specific file

From its analysis, BitNinja determined that this malware is responsible for continuous infections on some servers.

BitNinja has added the signature of stylec.php to the global blacklist, which significantly decreased the number of incidents per day. This proves that monitoring and blacklisting malicious files are imperative in combating malware reinfection.

In conclusion, malware is a severe threat to computer systems, and its reinfection cycle can be quite challenging to handle. By understanding how this particular malware operates, BitNinja can better protect their systems and prevent further reinfections.

Malware, short for malicious software, is designed to infiltrate and damage computer systems without the user's consent. By analyzing its operations, we can develop strategies to prevent, detect, and mitigate the risks associated with it. Here's a closer look at how these insidious pieces of code work:

Initial Infection Vector: Malware often gets into a system through various means, such as phishing emails, malicious downloads, or vunerable software. Attackers typically employ social engineering techniques to deceive users into clicking on malicious links or downloading infected files. Once the malware is executed, it begins to deploy its payload.

Execution Phase: After the initial infection, the malware usually attempts to execute itself with elevated priviledges. It might exploit a zero-day vulnerbility, or use techniques like privilege escalation to gain administrative rights. This stage is crucial as it determines the level of control the malware has over the infected system. If successful, it can move to more advanced phases of operation.

Persistence Mechanism: For malware to be effective, it must ensure it can persist within the system even after a reboot or user intervention. This involves modifying the registry keys, creating scheduled tasks, or even placing malicious code in legitimate system processes. The goal is to make sure that the malware stays active and can continue to perform its intended malicous functions without interruption.

Command and Control (C2) Communication: Many modern malwares rely on communicating with a remote Command and Control server. This server provides the attacker with the ability to remotely manage the malware, exfiltrate data, or issue new instructions. The communication can be encrypted and disguised as legitimate traffic, making it challenging for security teams to detect. Techniques like Domain Generation Algorithms (DGAs) are often used to rotate the domains the malware contacts, further hindering detection efforts.

Payload Delivery: The payload is the core function of the malware. It can range from ransomware, which encrypts user files and demands payment, to spyware that silently monitors user activity and steals sensitive information. Other types, like botnets, convert the infected machines into zombies that can be used in large-scale attacks, like DDoS (Distributed Denial of Service). The payload is typically modular, allowing attackers to update it with new capabilities or change tactics as needed.

Lateral Movement: Advanced malware often doesn't stop at a single host; it attempts to spread within a network to infect more devices. This is called lateral movement. The malware scans the network for other vulnurable machines, utilizes stolen credentials, or exploits weaknesses to propagate. By moving laterally, attackers can escalate their access to more critical systems, such as databases or servers, increasing the potential damage.

Data Exfiltration and Cleanup: The ultimate goal for many malware operations is to extract valuable information from the system. This could be personal information, financial data, intellectual property, or anything of value. Once the data is exfiltrated, advanced malware may even attempt to delete logs, clean traces, or disable security tools to cover its tracks and prolong the time it remains undetected.

Evading Detection: Modern malware is highly sophisticated in evading detection. Techniques like code obfuscation, polymorphic code that changes its appearance every time it's executed, and sandbox evasion are commonly used to bypass traditional antivirus and endpoint detection systems. Attackers continously adapt these techniques, making it a cat-and-mouse game for cybersecurity professionals.

Understanding these phases of malware operation is crucial for any cybersecurity specialist. By recognizing the different stages, one can implement a layered security approach that includes intrusion detection systems (IDS), endpoint detection and response (EDR) tools, and regular patching to mitigate vulnerabilites. Malware analysis and threat intelligence are also key components in staying ahead of the ever-evolving cyber threats.