Malicious software disguised as legitimate ionCube encoded files has been infected in hundreds of websites

For PHP developers, in order to protect intellectual property or protect PHP program files, they often need to encrypt their own PHP code, while ionCube is widely used as a PHP encryption technology.

Founded in 2002, ionCube Inc. has introduced a series of tools to protect software written in the PHP programming language, making it impossible for anyone to view, change, or run PHP program files on an unauthorized computer.

Specifically, ionCube Encoder converts PHP source code to ByteCode. After the encryption and authorization processing PHP code is not open source, you must use the ionCube loader can execute encrypted PHP code.

According to SiteLock, hundreds of sites have been found infected with malware disguised as legitimate ionCube encoded files. While viewing the infected site, SiteLock’s team found some suspect confusion files that are almost identical to the legitimate ionCube encoded files.

In general, ionCube is generally not used for malicious purposes due to the high licensing costs and high compatibility requirements. But there seems to be an exception this time around, and the team is pretty sure that these suspect ionCube encoded files are indeed malicious, affecting at least hundreds of websites and thousands of files.

These suspicious obfuscation files (such as “diff98.php” and “wrgcduzk.php”) were discovered by the research team when analyzing an infected WordPress website. Contrast legal ionCube file, if not carefully examined, we find it very difficult to find any difference.

After careful analysis and comparison, the team found some differences: First, the fake file uses a function that closely resembles the legal one, using the function “il_exec”, which in the legal file should be ” _il_exec “; Second, in the fake file also appeared two does not exist in the legal document” preg_replace “and” fopen “; Finally, there is a relatively obvious difference, the last line of the fake file is the return statement, And we know that legal ionCube encoded files end with “exit ()”.

The team noted that despite the considerable confusion with fake documents, it looks as legal as possible with legal documents. But the sheer number of “$ _POST” and “$ _COOKIE superglobals” and the eval request at the end of the file reveal its real purpose: to accept and execute remote code.

Further investigation revealed that attackers who distribute fake ionCube encoded files not only target WordPress, but also a large number of infected sites such as Joomla and CodeIgniter.

The team at ionCube emphasizes that fake files, in theory, can infect almost any web server running PHP. Once decoded, a fake ionCube file constitutes malware.

In addition, fake files do not have a fixed naming pattern, and even files with “inc.php” and “menu.php” names that have valid filenames can be malicious.

Overall, ionCube’s research team found over 700 infected websites and more than 7,000 fake documents in the survey. They even found that over 100 slightly different fake files exist on a single site at the same time.

Source: securityaffairs