PHP_SIMPLESHELL.HA

March 01, 2017
 Analysis by: Joselyn Canuela
 ALIASES:

Backdoor.PHP.C99Shell.ir (Kaspersky), Troj/PHPShl-AK (Sophos_Lite), Backdoor:PHP/SimpleShell.A (Microsoft)

 PLATFORM:

Windows

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:
 INFORMATION EXPOSURE:

  • Threat Type: Backdoor

  • Destructiveness: No

  • Encrypted: Yes

  • In the wild: Yes


  TECHNICAL DETAILS

File Size:

2,700 bytes

File Type:

Script

Memory Resident:

No

Initial Samples Received Date:

15 Jun 2016

Payload:

Steals information

Arrival Details

This malware arrives via the following means:

  • May be uploaded and installed on a web server by a remote malicious user after gaining access to the server.

Installation

This backdoor drops a copy of itself in the following folders using different file names:

  • {PHP Server Document Root }/info.php

Information Theft

This backdoor gathers the following data:

  • Host System Information
  • Web Server Safemode Status
  • Web Host Server Address
  • Remote User Server Address

Stolen Information

This backdoor sends the data it gathers to the following email addresses via SMTP:

  • {BLOCKED}ina_1@yahoo.com

NOTES:

This malware modifies the following files if existing, or creates the following files:

  • {malware current directory}/cgi-bin.pl
  • {malware current directory}/cgi-bin/cgi-bin.pl

It also has the following capabilities:

  • Receives a command/function using shell from a remote user
  • Receive files from the remote user
  • List all files

Once this PHP script is installed, the remote user may then launch a backdoor on the affected system. Opening the page, the malicious user is shown the following user interface:

  SOLUTION

Minimum Scan Engine:

9.850

FIRST VSAPI PATTERN FILE:

12.592.04

FIRST VSAPI PATTERN DATE:

15 Jun 2016

VSAPI OPR PATTERN File:

12.593.00

VSAPI OPR PATTERN Date:

16 Jun 2016

Step 1

Before doing any scans, Windows XP, Windows Vista, and Windows 7 users must disable System Restore to allow full scanning of their computers.

Step 2

Note that not all files, folders, and registry keys and entries are installed on your computer during this malware's/spyware's/grayware's execution. This may be due to incomplete installation or other operating system conditions. If you do not find the same files/folders/registry information, please proceed to the next step.

Step 3

Scan your computer with your Trend Micro product to delete files detected as PHP_SIMPLESHELL.HA. If the detected files have already been cleaned, deleted, or quarantined by your Trend Micro product, no further step is required. You may opt to simply delete the quarantined files. Please check this Knowledge Base page for more information.

Step 4

Restore deleted/modified files and/or registry entries from backup

*Note: Only Microsoft-related files/keys/values will be restored. If this malware/grayware also deleted registry keys/values related to programs that are not from Microsoft, please reinstall those programs on your computer.

     
    • {malware current directory}/cgi-bin.pl
    • {malware current directory}/cgi-bin/cgi-bin


Did this description help? Tell us how we did.