Symchanger Malware
It is not uncommon for cybercriminals to go after other cybercriminals instead of regular users. Often, this involves promoting 'free malware' utilities, which other wannabe hackers might find interesting and attractive. This is the case of the Symchanger Malware, which appears to be promoted on online forums, hidden social media groups, and other platforms that cybercriminals frequent. The Symchanger Malware poses as an excellent hacking tool that can be used to infiltrate websites running various Content Management Systems (CMS) like Drupal, WordPress, Joomla and others. While the Symchanger Malware does contain corrupted code collect from other malware, its author also has implemented a hidden backdoor feature that serves an interesting purpose that will be discussed later. The Symchanger Malware is a single '.php' file, which the criminals should run on a previously compromised Web server to recover credentials, passwords and other data. The contents of the PHP file are obfuscated, but cybercriminals are unlikely to be worried by this since it is not uncommon for corrupted code to be obfuscated in one way or another.
Symchanger Plants a Hidden Database Administrator
What criminals might not know, however, is that the 'free' Symchanger Malware will execute some additional tasks without their knowledge. As soon as the corrupted script is executed, it will execute the so-called 'symlink' attack to try and gain access to other Web server directories that are usually inaccessible.
The 'attacker' using the Symchanger Malware will not be informed that the threat starts to scan accessible directories for configuration files used by the content management systems listed above. The backdoor component also tries to access the '/etc/passwd' directory, which might contain additional login credentials. If the backdoor manages to collect database credentials successfully, it will try to establish a connection to every available database and then insert a pre-defined username and password. This way, the original author of the Symchanger Malware will have a rogue administrator account on compromised sites. The Symchanger Malware will silently send an identical email to five addresses – the contents of the message are the URL of the compromised page and the username and password that were added to the database.
This Backdoored Malware Tricks Criminals into Handing over Their Compromised Systems
In short, the Symchanger Malware is a rogue piece of malware whose users might end up unknowingly assisting another cybercriminal to compromised websites. The author of the Symchanger Malware does not need to do anything – the login credentials and list of compromised sites will arrive in their inbox.
While the Symchanger Malware does not target regular users, for now, it shows how easy it is for an evil-minded user to compromised websites. In this scenario, the corrupted file is being propagated as a free-to-use 'backdoor,' but it is entirely possible that its authors might disguise it as a useful utility that legitimate Web administrators would want to use. Remember never to download and execute unknown files unless they have been thoroughly scanned by an anti-virus application first.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.