Cybersecurity researchers have uncovered a new campaign targeting web servers running PHP-based applications to promote gambling platforms in Indonesia.
“The past two months have seen a significant number of attacks by Python-based bots, suggesting a coordinated effort to exploit thousands of web applications,” Imperva researcher Daniel Johnston said in the analysis. “These attacks appear to be related to the proliferation of gambling-related sites, potentially in response to increased government control.”
The Thales-owned company said it discovered millions of requests originating from a Python client containing a command to install GSocket (aka Global Socket), an open source tool that can be used to establish a communication channel between two machines regardless of the network perimeter.
It should be noted that GSocket was used in the many a cryptojacking operation in recent months, not to mention using the access provided by the utility to inject malicious JavaScript code into sites for steal payment information.
Attack chains in particular include attempts to deploy GSocket using pre-existing web shells installed on already compromised servers. Most attacks have been found to single out servers running a popular learning management system (LMS) called Moodle.
A noteworthy aspect of the attacks are the additions to bashrc and crontab system files to ensure that GSocket is active even after the webshell is removed.
The access granted by GSocket to these target servers was determined to deliver PHP files containing HTML content linking to online gambling services specifically targeting Indonesian users.
“At the top of each PHP file was PHP code designed so that only search robots could access the page, but normal site visitors would be redirected to another domain” Johnston said. “The purpose of this is to target users who are looking for well-known gambling services and then redirect them to another domain.”
Imperva said the redirects lead to “pktoto(.)ss”, a well-known Indonesian gambling site.
Development is underway as c/side revealed a widespread malware campaign that targets more than 5,000 sites worldwide to create unauthorized administrator accounts, install a malicious plugin from a remote server, and transfer credentials to it.
The exact initial access vector used to deploy the JavaScript malware on these sites is currently unknown. The malware was codenamed WP3.XYZ due to the domain name associated with the server used to obtain the plugin and steal data (“wp3(.)xyz”).
To reduce the attack, it is recommended that WordPress site owners update their plugins, block the fake domain with a firewall, look for suspicious admin accounts or plugins and remove them.
