Fake IonCube Malware Found in the Wild
Target: Web servers running PHP
Attack Vector: Remote code execution using fake ionCube files
Summary: Obfuscated files that appear almost identical to legitimate ionCube-encoded files have been deemed malicious. The fake files bear names similar to ionCube’s file names that aim to disguise their real purpose of executing remotely supplied code that allows access to, and control of, a victim’s device. Currently, over 700 websites and 7000 files have been identified as infected.
Risk assessment summary: The threat is assessed as 3e MODERATE with the likelihood rated as POSSIBLE. If successful, victims could potentially hand over control of their systems due to remotely supplied code executed via a fake ionCube file. However, only web servers running PHP are vulnerable. Although there are differences between the fake and legitimate files identified, it is difficult to differentiate between the two. The fake files can easily be missed, therefore it is important that a malware scanner is utilized to identify the issue.