Backdoor.PHP.DEWMODE.A

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites. It may arrive using one or multiple arrival methods.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This Backdoor arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It arrives via the following means:

• It may be delivered by exploiting the following vulnerabilities:
  • CVE-2021-27101
  • CVE-2021-27102
  • CVE-2021-27103
  • CVE-2021-27104

Backdoor Routine

This Backdoor executes the following commands from a remote malicious user:

• Download files from victim server
• Delete traces in the system

Dropping Routine

This Backdoor drops the following files:

• /tmp/.scr → temporary file used to delete traces of the malware when requested by the C&C; deleted afterwards.
• /tmp/.out → temporary file used to redirect logging of malware trace deletion; deleted afterwards.

Other Details

This Backdoor does the following:

• Once accessed, it will display the list of files existing in the SQL database hosted in the target server
  
• It displays the following if no files are present in the database:
  
• It uses the dropped file /tmp/.scr to delete traces of itself in the server. This dropped file does the following:
  • Remove the line referencing the malware in all of the logs located in "/var/opt/apache".
  • Overwrite the contents of adminpl.log with blanks.
  • Delete malware trace in the machine.
  • Overwrite /var/log/secure with blanks.

It requires being hosted on a web server in order to proceed with its intended routine.