Starting on Jun 29, we detected a malicious campaign that uses Crontab in a chained infection flow. A closer look reveals a common pattern attackers use in order to inject a backdoor to a vulnerable host.
It starts from logging in with previously stolen credentials to the cPanel service. After that, the attacker makes an attempt to upload a backdoor directly to the public directory. And the final step is to set up a CronJob task, containing obfuscated malware, scheduled to trigger every at regular intervals.
Pic 1. The malicious CronJob command example
After CronJob is added, the infection continuously appears in a destination path for further exploiting the host through the remote calls passing the prepared commands.
Pic 2. The originating code injected by the CronJob
Through further examination of the script, we determined that it receives the remote commands through the forged cookies with a unique pattern. One of the passed parameters comprises a payload while others just implement additional obfuscation.
What it simply does is
eval(base64_decode(str_rot13('command passed in an appropriate cookie variable')));
During the investigation, we detected cases when attackers were able to log in to users’ cPanel accounts on a first attempt, which implies they were using credentials that were leaked before the malware campaign started. We intercepted attackers' attempts to communicate with the backdoors and collected a vast variety of scripts such as simple pings, modification timestamp hide commands, directories scanners, webshells, etc.
Servers with the Imunify360 system installed were protected with several layers of security, which prevented the spread of infection - even for the accounts with stolen cPanel user credentials.
These protection layers are:
- cPanel file manager upload scanner. It blocked attempts to upload the infection directly to the destination path using the default file manager provided by the panel.
- User home directory scanner. Whenever CronJobs maliciously enters an infected record into a file on the server, the scanner immediately detects and cleans it.
- ModSecurity ruleset. When the injection is cleaned, the system registers all following calls to the detected script as malicious activity and blocks any communication attempts.
- Imunify360 agent local graylisting. The agent analyzes incidents triggered by an attacker and by the presence of appropriate rules triggers fill the graylist with these abusive IPs.
- Heuristic system. Based on incidents triggered by attackers the automated logic lists addresses globally and shares them through all the servers belonging to the Imunify360 network.
Having these thorough protection systems enabled means infections can’t spread, and a host can’t be exploited using automation designed by hackers.
A malicious CronJob task could remain injected into a Crontab on an affected cPanel account, even if it stays absolutely useless and inoperable. The Imunify team plans to release the update as soon as possible to provide automatic cleanup. However, if you prefer manual cleanup, you can follow the recommendations below. The last paragraph explains how to determine whether your server is affected and steps to resolve the infection.
Steps that may help you detect affected users on your server:
- Check your inbox. We sent the notification emails “On cronjob infection” with instructions to owners of affected systems.
imunify360-agent malware malicious list | grep "SMW-SA-21040-php.bkdr-0"
In case there are files detected with the SMW-SA-21040-php.bkdr-0 signature you should follow these steps:
- Force a password reset for an affected cPanel user (the new password should be strong).
- The new Imunify360 version will have a feature to clean up the malicious CronJobs (release is planned on 17 Aug).
- Alternatively, run the commands below:
cp -r /var/spool/cron /root/crontab_backup
Execute the command to exclude malicious CronJobs (replace the <user_affected> variable with the affected user).
crontab -l -u <user_affected> | grep -v "PD9waHANCmNsYXNzIFRydWMNCnsNCiAgICBwcml2YXRlIHN0YXRpYyAkczs.*SgpOw==" | crontab -u <user_affected> -