Most Advanced Backdoor Obfuscation and Evasion Technique That used by Hackers


Cybercriminals are using the most sophisticated techniques to bypass the security controls in various organization such as  IT, medical, manufacturing industries, energy sectors, even government entities.

Sometimes developers are creating a backdoor for a legitimate purpose such as maintenance and easy accessibility during the technical issue via a remote location.

But the hackers are using it for completely malicious purposes especially creating and injecting an advanced backdoor to the target system using various advanced obfuscation techniques into the vulnerable server.

This technique will help them to perform an attack to gain control over the target and upload malicious payloads to steal the various sensitive data also mining the cryptocurrencies.

There are various types of backdoor which can be written in various languages, for an example if the backdoor was written in ASP then it can run on .net based servers and if it’s written in PHP then it will run on the servers that run on PHP.

In this case, the organization should learn how to protect your web applications from vulnerabilities such as a backdoor, SQL injection types of attack with the best WAF solutions, and about Incapsula backdoor shell protection.

PHP Based Evasion Techniques

There is a different method that is used by attackers to evade the detection, mask known functions or PHP keywords are mainly used by many of the PHP based backdoors.

The first method is Character reordering where attacker used to place and embedded backdoor code in well-known  “404 Not Found”message and the keyword “_POST” is written in the plain site.

Line 1 –  the backdoor code turns off all error reporting to avoid detection in case of an error.

Line 3- the “default” parameter is defined -a random combination of characters.

line 4 – the “about” parameter is defined when the code reorders these characters and turns them to upper case to build the keyword “_POST”.

Link 5 –  keyword is used in lines 5-12 to check if the HTTP request to this page was done via the POST method and whether it contained the “lequ” parameter.

According to Incapsula, If so, the backdoor uses the “eval” function to run the code that was sent in the parameter “lequ”. Thus, the backdoor reads the value from a parameter in a post request without ever using the keyword “$_POST”.

Other than this, some of the other attacks are used by hackers to hide their malicious code and evade detection.

  • Hiding known PHP function using string manipulations (replacement, concatenation, reverse, shift and split)
  • Using obscure parameter names, like random characters or combinations of the characters O and 0 which are visually similar
  • Encoding the backdoor, or part of its code with base64 encoding
  • Using compression as a mean to hide the backdoor code
  • Obfuscating base64 encoded text by manipulating the text in order to avoid simple decoding
  • Obfuscating requests sent to the backdoor after it was uploaded by using the “preg_replace” function on the input.

Protection from these kindly of obfustication techniques Strong web-application firewall such as Incapsula CDN identifying the malicious threats using several layers of security policies is highly recommended for any organization.

Mask Known Functions or PHP Keywords

In some case, the Attacker used to hide known functions or PHP keywords in order to evade detection.

To read the original article:

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *

Next Post

Vermelho (Red): New variant of the Mirai Botnet Exploits 9 Vulnerabilities

A new Variant of Mirai Malware recently started recruiting devices IoT written by @mezy1337. This malware uses hosted servers to find and infect new victims . Samples were served from the IP Malware Samples: 10f0429cee0a52a569c14bee727f3f66:VAMPWROTESATORI.x86 3672ec68839541e7263f491ce9407ec9:vermelho.i686 156e888c32c38677ae970b3a944e8e0e:vermelho.arm7 b125deca7501e13667eaf0804d44a5a7:vermelho.m68k 1406cf02d6af6c2a33f86f93feebdc55:cpuvuln.x86 11e887988687b66cb29a5d395797b0e6:vermelho.mips64 e524abeb037e5295d8341519883ec733:vermelho.mips fb926ee35a240e1bd6761c2d416ef392:vermelho.i486 f9e73ae79a618df43b3bf0ff06818979:vermelho.x86_64 b89870c84f62606b8c1337f120198362:vermelho.sh4 98c35212c42a39cac579afbfb271ba9c:vermelho.arm5 9229e931e806b30967863a1d0f78fb3e:vermelho.mipsel d54456cc11c710f6b4431e0e9593ac02:vermelho.arm6 93b642bb132f757617ff3221ebefab53:vermelho.powerpc-440fp 1da0c2b1c860c334b3220687b15c1e95:vermelho.powerpc c19c397f73adbb3a8247f8670a895e30:vermelho.x86 53b539f6f9824d538f5a28f29ba2e9c4:vermelho.arm4 fb94e136404fcd1de3ba95cb09d8f6ba:vermelho.sparc […]