Recently, researchers have found an increasing number of malware samples that employ code from non-executable files (such as .txt, .log, etc.), a strategy created particularly to get beyond standard detection procedures.
These files are often deceptively simple, with only a line or two of base64 or hex-encoded code.
Malware is more frequently discovered in specific file formats such as.js (JavaScript) and.php (Hypertext Preprocessor) files that the browser or server may directly run.
Due to their ease of manipulation and ability to run malicious code, these file formats are the favored option for attackers. The attacker can take control of the website or server using this simple and efficient approach.
The majority of security systems adopted it as the standard, which caused them to concentrate on certain file formats while looking for possible risks. However, attacker tactics have evolved along with malware detection technologies.
Implementing AI-Powered Email security solutions “Trustifi” can secure your business from today’s most dangerous email threats, such as Email Tracking, Blocking, Modifying, Phishing, Account Take Over, Business Email Compromise, Malware & Ransomware
Stealthy Use of Non-Executable .txt & .log Files
Sucuri reports that in some scenarios, malicious code lies in wait in the same environment, concealed behind a PHP file.
The PHP often has two crucial components: a piece of code that (typically) leads to the location of an inconspicuous.txt or.log file containing the obfuscated malware and a second line that decodes the string and executes the malware on the website using the ‘eval’ and ‘base64_decode’ commands.
Even the most vigilant webmaster who constantly checks the website’s files and source code can easily be fooled by this trick.
“The .log file contains base64 encoded code, which could be anything from an entire shell script or just a simple backdoor used to reinfect the website or upload additional malware”, reads the report.
In this case, the code in.tott.log was responsible for building Japanese spam gateway pages that communicated with the malicious pollutionioften[.]xyz domain.
Although the.txt file contained PHP code in this case, it could easily be skipped during a site inspection.
Many people skip text files when looking for malware PHP code here is difficult to identify visually, and even if you realize it’s PHP code and try to execute it, you’ll get errors because each of the.txt files is incomplete.
As a result, this tactic enables the attacker’s code to operate undetected and fulfill its intended purpose without being noticed by several common security measures.
Mitigation
- Examine files often and keep track of changes
- Use cutting-edge malware detection software
- Update software
- Frequently backup websites
- Implement a website firewall
Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Take advantage of the free trial to ensure 100% security.