Security researchers from SiteLock warned administrators of WordPress and Joomla sites about new malware that masqueraded as legitimate ionCube files. Malware, called ionCube Malware, is used by cybercriminals to create backdoors on vulnerable websites, allowing them to steal data or install additional malware.
According to researchers, malware was detected on more than 800 sites belonging to small companies operating on the platforms of CMS WordPress, Joomla and CodeIgniter. A distinctive feature of the malware is the possibility of masking under the legitimate ionCube file.
As noted by SiteLock’s leading analyst Weston Henry, ionCube Malware is similar to malicious base-coded PHP eval queries that target PHP functions and are hidden inside the CMS plug-ins. Eval is a PHP function that can execute arbitrary PHP code and is often used by hackers to create backdoors on web sites.
“We have never faced such tactics before. We saw a lot of samples of malware that tried to look like specific Joomla or WordPress files. However, ionCube is a legitimate tool for encoding and encryption, so when malicious users obfuscate malware under the guise of ionCube files, it gets access to the website, “experts noted.
According to experts, the identified samples of diff98.php and wrgcduzk.php were found in the main WordPress catalogs.
To protect against malware, researchers recommend that you update all CMS plug-ins and software.
IonCube is a set of command line utilities that allow you to encode, obfuscate and license source code written in php.