KO3MOC WORLD

Tag: malware

  • Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers

    Fake Security Plugin on WordPress Enables Remote Admin Access for Attackers

    Cybersecurity researchers have shed light on a new campaign targeting WordPress sites that disguises the malware as a security plugin.

    The plugin, which goes by the name “WP-antymalwary-bot.php,” comes with a variety of features to maintain access, hide itself from the admin dashboard, and execute remote code.

    “Pinging functionality that can report back to a command-and-control (C&C) server is also included, as is code that helps spread malware into other directories and inject malicious JavaScript responsible for serving ads,” Wordfence’s Marco Wotschka said in a report.

    First discovered during a site cleanup effort in late January 2025, the malware has since been detected in the wild with new variants. Some of the other names used for the plugin are listed below –

    • addons.php
    • wpconsole.php
    • wp-performance-booster.php
    • scr.php

    Once installed and activated, it provides threat actors administrator access to the dashboard and makes use of the REST API to facilitate remote code execution by injecting malicious PHP code into the site theme’s header file or clearing the caches of popular caching plugins.

    A new iteration of the malware includes notable changes to the manner code injections are handled, fetching JavaScript code hosted on another compromised domain to serve ads or spam.

    The plugin is also complemented by a malicious wp-cron.php file, which recreates and reactivates the malware automatically upon the next site visit should it be removed from the plugins directory.

    It’s currently not clear how the sites are breached to deliver the malware or who is behind the campaign. However, the presence of Russian language comments and messages likely indicates that the threat actors are Russian-speaking.

    The disclosure comes as Sucuri detailed a web skimmer campaign that uses a fake fonts domain named “italicfonts[.]org” to display a fake payment form on checkout pages, steal entered information, and exfiltrate the data to the attacker’s server.

    Another “advanced, multi-stage carding attack” examined by the website security company involves targeting Magento e-commerce portals with JavaScript malware designed to harvest a wide range of sensitive information.

    “This malware leveraged a fake GIF image file, local browser sessionStorage data, and tampered with the website traffic using a malicious reverse proxy server to facilitate the theft of credit card data, login details, cookies, and other sensitive data from the compromised website,” security researcher Ben Martin said.

    The GIF file, in reality, is a PHP script that acts as a reverse proxy by capturing incoming requests and using it to collect the necessary information when a site visitor lands on the checkout page.

    Adversaries have also been observed injecting Google AdSense code into at least 17 WordPress sites in various places with the goal of delivering unwanted ads and generating revenue on either a per-click or per-impression basis.

    “They’re trying to use your site’s resources to continue serving ads, and worse, they could be stealing your ad revenue if you’re using AdSense yourself,” security researcher Puja Srivastava said. “By injecting their own Google AdSense code, they get paid instead of you.”

    That’s not all. Deceptive CAPTCHA verifications served on compromised websites have been found to trick users into downloading and executing Node.js-based backdoors that gather system information, grant remote access, and deploy a Node.js remote access trojan (RAT), which is designed to tunnel malicious traffic through SOCKS5 proxies.

    The activity has been attributed by Trustwave SpiderLabs to a traffic distribution system (TDS) called Kongtuke (aka 404 TDS, Chaya_002, LandUpdate808, and TAG-124).

    “The JS script which, was dropped in post-infection, is designed as a multi-functional backdoor capable of detailed system reconnaissance, executing remote commands, tunneling network traffic (SOCKS5 proxy), and maintaining covert, persistent access,” security researcher Reegun Jayapaul said.

    Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.

  • EvilLoader: Unpatched Telegram for Android Vulnerability Disclosed

    EvilLoader: Unpatched Telegram for Android Vulnerability Disclosed

    EvilLoader: Unpatched Telegram for Android Vulnerability Disclosed

    [update March 3, 2025]

    On Mar 6, 2025 Telegram patched the EvilLoader vulnerability on server side. I verified that issue is fixed now. Telegram promptly fixed it within 48 hours from my report. 

    Email reply from Telegram to my report
    HTML file is not displayed as video file anymore

    A newly discovered vulnerability in Telegram for Android, dubbed EvilLoader, has been identified by malware and CTI analyst 0x6rss. This exploit allows attackers to disguise malicious APKs as video files, potentially leading to unauthorized malware installations on users’ devices. The vulnerability was detailed in his blog post and accompanied by a Proof of Concept (PoC) code. This exploit remains unpatched and continues to work on the latest version of Telegram for Android 11.7.4. Even more concerning, the payload has been available for sale on underground forums since January 15, 2025, making it accessible to cybercriminals worldwide. This is similar to WhatsApp trick, where Android malware can impersonate PDF file and trick user to install it.

    I notified Telegram at security@telegram.org about this vulnerability and available PoC on March 04, 2025, but given the urgency of the issue and the fact that it remains exploitable—and has already been sold on underground forums for almost two months—I decided to publish this blog to raise awareness before an official fix is released.

    This is the second time a similar vulnerability has been discovered targeting Telegram for Android. The first one, called EvilVideo, was disclosed in July 2024 and tracked as CVE-2024-7014. EvilVideo operated in the same way as EvilLoader, allowing attackers to manipulate video files to deliver malicious APKs. It was also actively sold on underground forums. You can see video of exploitation using the PoC below.

    https://youtube.com/watch?v=PUSUmV4K4pU%3Ffeature%3Doembed

    Understanding the EvilLoader Vulnerability

    EvilLoader manipulates Telegram’s handling of video files, allowing malicious app to be automatically downloaded and executed under the guise of media content. When a user attempts to play one of these specially crafted “videos,” Telegram prompts them to open the file in an external application, see Figure 1. 

    Figure 1. Received malicious video file (left), Telegram request to install external player after trying to play it (right)

    If user selects Cancel, then it would appear as video can’t be played correctly, see Figure 2.

    Figure 2. Canceling an action falsely results in not playing video

    If the user agrees, the disguised APK gets installed, potentially compromising the device.

    This is achieved by tricking Telegram into handling an HTML file as a video file. A key part of the attack involves crafting an HTML file that Telegram misinterprets as a valid video file, see Figure 3.

    Figure 3. Maliciously crafted HTML can trick a user to download and install malicious app

    Core issue is in an HTML file is created and saved with an MP4 extension, causing Telegram to mistakenly identify it as a video file due to its extension. When sent via Telegram, it is treated as a legitimate media file, and upon opening, the user is prompted to launch it in an external application, at which point malicious code can be executed.

    Before the malicious application is installed, the user must explicitly enable the installation of unknown apps on their Android device. When attempting to install the disguised video file, Telegram will prompt the user to install an external application. As part of this process, the user will be required to grant permission for the installation of apps from unknown sources, a security setting that is typically disabled by default to prevent unauthorized installations.

    By exploiting Telegram’s inability to correctly validate media files, attackers can embed harmful payloads that appear as harmless video files.

    The Exploit is Actively Sold on Underground Forums

    Since January 15, 2025, the payload for EvilLoader has been up for sale on an underground forum for unknown price. Cybercriminals have been referring to it as EvilLoader, instead of its initial name EvilVideo. The availability of this exploit on underground marketplaces raises concerns about its widespread abuse, as threat actors can now easily obtain and deploy it against unsuspecting Telegram users.

    Figure 4. Post from underground forum offering the exploit

    Why This is a Serious Threat

    • The vulnerability remains unpatched in the latest Telegram for Android version, making all users susceptible.
    • Attackers can exploit this flaw to deploy spyware, ransomware, or other malware.
    • Since Telegram is widely trusted, users may not hesitate to open files received from seemingly legitimate sources.

    How to Protect Yourself

    Until Telegram addresses this issue, users should take the following precautions:

    • Update Telegram: While a patch is pending, stay alert for security updates from Telegram.
    • Disable Auto-Download: Prevent media files from downloading automatically in Telegram settings.
    • Avoid Untrusted Media Files: Do not open or execute files from unknown sources, especially videos requiring external apps.
    • Use Security Software: Install reputable mobile security software that detects malicious APKs.

    Conclusion

    Given that the exploit remains unfixed and has been actively sold on underground forums, Telegram users must exercise caution when handling media files. The accessibility of this exploit to cybercriminals makes it a serious risk.