Cybersecurity researchers have exposed a new campaign that targets web servers running PHP-based applications to promote gambling platforms in Indonesia.
“Over the past two months, a significant volume of attacks from Python-based bots has been observed, suggesting a coordinated effort to exploit thousands of web apps,” Imperva researcher Daniel Johnston said in an analysis. “These attacks appear tied to the proliferation of gambling-related sites, potentially as a response to the heightened government scrutiny.”
The Thales-owned company said it has detected millions of requests originating from a Python client that includes a command to install GSocket (aka Global Socket), an open-source tool that can be used to establish a communication channel between two machines regardless of the network perimeter.
It’s worth noting that GSocket has been put to use in many a cryptojacking operation in recent months, not to mention even exploiting the access provided by the utility to insert malicious JavaScript code on sites to steal payment information.
The attack chains particularly involve attempts to deploy GSocket by leveraging web pre-existing web shells installed on already compromised servers. A majority of the attacks have been found to single out servers running a popular learning management system (LMS) called Moodle.
A noteworthy aspect of the attacks are the additions to bashrc and crontab system files to ensure that GSocket is actively running even after the removal of the web shells.
It has been determined that the access afforded by GSocket to these target servers is weaponized to deliver PHP files that contain HTML content referencing online gambling services particularly aimed at Indonesian users.
“At the top of each PHP file was PHP code designed to allow only search bots to access the page, but regular site visitors would be redirected to another domain,” Johnston said. “The objective behind this is to target users searching for known gambling services, then redirect them to another domain.”
Imperva said the redirections lead to “pktoto[.]cc,” a known Indonesian gambling site.
The development comes as c/side revealed a widespread malware campaign that has targeted over 5,000 sites globally to create unauthorized administrator accounts, install a malicious plugin from a remote server, and siphon credential data back to it.
The exact initial access vector used to deploy the JavaScript malware on these sites is presently not known. The malware has been codenamed WP3.XYZ in reference to the domain name that’s associated with the server used to fetch the plugin and exfiltrate data (“wp3[.]xyz”).
To mitigate against the attack, it’s recommended that WordPress site owners keep their plugins up-to-date, block the rogue domain using a firewall, scan for suspicious admin accounts or plugins, and remove them.
