Security researchers are warning WordPress and Joomla admins of a sneaky new malware strain masquerading as legitimate ionCube files. The malware, dubbed ionCube Malware, is used by cybercriminals to create backdoors on vulnerable websites allowing them to steal data or plant more malware.
In the two weeks since it was first discovered, researchers said that the malware has been found on over 800 mostly small business websites running the CMS platforms WordPress, Joomla and CodeIgniter. According to SiteLock, which found the malware, it is unique because the malware is both encoded and formatted to look like a legitimate ionCube file.
IonCube is a commercial PHP scrambler that turns text-based PHP files – used to create dynamic content on websites – into an undecipherable code often to hide the intellectual property associated with licensed PHP files.
Weston Henry, lead research analyst at SiteLock, said the ionCube Malware is similar to malicious base64 encoded PHP eval requests that target website PHP functions and hide inside rogue CMS plugins. Eval is a PHP function capable of executing arbitrary PHP code and often used by hackers to create website backdoors.
“This specific tactic we have never seen before. We have seen a ton of malware samples that have tried to look like specific Joomla or WordPress files. But ionCube is a legitimate encoding and encrypting tool,” Henry said. “So when bad guys obfuscate malware inside fake ionCube files, it amounts to creating eval backdoor access to a website.”
Henry said that it’s unclear how the 800 sites became infected with the ionCube malware, although he suspects that it was likely tied to the use of out-of-date CMS plugins or platform software. “From what we’ve seen, there’s no reason to think that this (malware) couldn’t impact any site that had a vulnerability that a bad actor could identify and compromise.”
“This is particularly hard to identify, especially for any site that might already be using ionCube services,” Henry said.
Researchers said samples identified were named “diff98.php” and “wrgcduzk.php” and found in the WordPress core directories. Upon further inspection, malicious ionCube file code contain subtle differences such as a bogus “il_exec” line rather than the legitimate “_il_exec” line.
“From our findings, there’s a reference to the ioncube.com domain name in some form or another in every legitimate ionCube file, but it is not present in the fake files. Also notice that the fake file has a code block after the PHP closing tags, much like the legitimate ionCube file. But unlike the real file, this code block consists only of alphanumeric characters and newlines,” according to an upcoming SiteLock blog outlining its research.
As for mitigation, besides more heavily scrutinizing ionCube files, SiteLock suggests sites update all CMS plugins and software.