Threat Actors Using Obfuscation in Attempt to Evade Detection

As part of our product lineup, we offer security monitoring and malware removal services to our Wordfence Care and Response customers. In the event of a security incident, our incident response team will investigate the root cause, find and remove malware from your site, and help with other complications that may arise as a result of an infection. During the cleanup, malware samples are added to our Threat Intelligence database, which contains over 3.5 million unique malicious samples. Interested in integrating this data into your solutions? Check out Wordfence Intelligence Enterprise.

In a previous blog post we analyzed a malware sample whose author intended to make it look like normal code to the naked eye while carrying out a malicious task. Today, we would like to dissect and share a style of malware that uses several layers of obfuscation to disguise its main purpose while not hiding the fact that it is malicious. It was added to our malware database on February 20, 2023 when one of our analysts discovered it during a site clean.

Obfuscated malware sample (line breaks added)

A signature was developed by the same analyst the following day and released to production within a week after undergoing testing. Customers still using the free version of Wordfence received this signature after a 30 day delay.

Analyzing the Sample

Rather than making this script blend in by making it look like this code was written by a human, this sample makes use of several different techniques that help it evade detection.

Density

The screenshot above was edited in order to make sure the sample was legible. In reality, the entire sample was contained on one line when we found it. We don’t see a lot of whitespace in this file, certainly not more than one space character in a row. We often find this to be the case with malware that relies on heavy obfuscation. PHP code written by humans tends to be properly indented and readable, although exceptions exist of course.

Commenting

One of the most notable elements of this malware is the excessive use of comments in the file. Typically, human coders use comments to describe what their code does, while in this sample comments are exclusively used to break up code bits and make it harder to detect using common malware detection methods such as signatures. Comments in PHP are formatted as follows:

• /* some comment that spans one or more lines */
• // comment begins and ends with a newline (c++ style)
• # comment begins and ends with a newline (shell-style)

Once we remove those comments we get a clearer picture of what this sample does.

Obfuscated malware sample after removing comments (line breaks added)

Use of Variable Functions

After removing the comments, this sample does appear to be a bit more legible, but it still needs a little bit of work. The variable $ojq is set to the string “range” using string concatenation. The command $nHpCr=$ojq("~"," "); creates an array of items in the range defined by the two function arguments. Ultimately, the array stored in $nHpCr contains all the characters in the following string:

~}|{zyxwvutsrqponmlkjihgfedcba`_^][ZYXWVUTSRQPONMLKJIHGFEDCBA@?>=

Source: wordfence.com