Malware is a constant threat to the security of websites and servers. In this article, we will discuss version 5.5 of a well-known malware family that has been causing incidents on the servers we protect since the summer of 2022. We called this Wednesday V5.5, and you will see later why. The main version 4 already damaged the Internet in 2018. Wednesday V5.5 is easy to recognize as it is not obfuscated. However, its code is unreadable by the human eye due to the use of meaningless variable-function-class names and the removal of indentation and line breaks even after a PHP code beautifier. However, once these names are rewritten based on their operation, the code becomes perfectly readable and understandable.
The image below shows the original version on the right, and the more readable one that we manually “prettified” is on the left.
The current version has a total of 5 classes. The last of these contains the version of the malware and the external URLs it should call (these have been largely unchanged for a long time).
One of the key features of this malware is that it contains a unique generated key that must be used to send requests to the malware. The central class also contains a text decoding/transformation method used to process data received from the $_COOKIE and $_POST arrays in PHP. This method splits the text into four-character segments and uses bit operations to combine adjacent characters, resulting in a transformed text that is further processed using the unique key of the malware. If the resulting text is a PHP serialized array, the request in the array will be served.
In case no understandable request is received, the malware checks whether a human visitor or a bot called it. If a human called it, the visitor's data will be sent to the attacker's server. The visitor will either be redirected to another page or shown content the attacker wants them to see. Most of the time as a scam promising free prizes (like "You've won a free iPhone” type of links).
The requests that this malware is expected to serve to includes:
The incident numbers for Wednesday V5.5 on the servers we protect are shown in the following diagram:
This type of malware is often found alongside other malware and injected code snippets. Typically it appears in mass quantities every Wednesday, hence the name. In addition to the malware itself, there is often a file with a name starting with a dot, followed by 8 letters/numbers, and the extension .ico, which contains obfuscated PHP code. This code is difficult to read due to the use of nested functions and inline comments. However, with some effort, it can be deciphered.
The code is obfuscated, the basename, trim, preg_replace, and rawurldecode calls follow one another, nested in each other, and in almost every case, there is a PHP inline comment of one or more pairs of characters before and after the function name and before and after the opening and closing brackets. This makes reading considerably more difficult, but it gives a very good strict "fingerprint" if we want to apply a regular expression or a rule to this text.
And if you can't find this .ico file, look in the index.php code near the malware. You will almost certainly find a 5-line section where the first and fifth lines are the same couple of character PHP inline comments, and the third line pull in this .ico file. There are still so many tricks here that some characters in the included string are in a converted form so that they can hide from plain string search and matching, for example, like this:
The detection and cleaning of this are perhaps the easiest with the help of a regex or YARA rule. Ever since we have had YARA rules against .ico files, and we can clean their injected includes, we have cleaned out loads of the dreaded Wednesday V5.5 from the protected servers, and the reinfections are pretty rare now. Almost non-existent.
If you were ‘lucky enough’ to encounter the above malware, it is worth taking a closer look at the storage space afterward. If there are files whose names are structured like this:
[2 random hex characters]_[16 random hex characters] and their extension is HTML or list, it is most likely created by the malware and can be deleted. Or it probably has a "cache" folder with a lot of files named [16 random hex characters] full, which can also be deleted. Plus, the sitemap.xml and robots.txt files should also be carefully examined.
To protect against this malware, it is important to regularly scan your server for vulnerabilities and to keep your software up-to-date. To make this procedure easy, use a server security tool that protects you from online threats. Preferably one that combines every security component an online business needs, like BitNinja. We can help to prevent attackers from gaining access to your system and installing malware like this.
In addition to that, you should also be cautious about the links and downloads you click on and avoid visiting suspicious websites.
Version 5.5 of a well-known malware family has been causing incidents on servers since the summer of 2022. This malware is easy to recognize, but its code is unreadable without rewriting the meaningless variable-function-class names. It contains a unique generated key that must be used to send requests to the malware. It is often found alongside other malware and injected code snippets.
To protect against this type of malware, it is important to regularly scan your server for vulnerabilities.
If you suspect that your website or server has been infected, it is important to seek the assistance of a security professional to remove the malware and restore any damaged files. Or you can choose the simplest way and not just clean your site but prevent further attacks by using the blazing-fast malware scanner of BitNinja.