Hackers are exploiting vulnerabilities in PHP-based web applications to deploy malware on a global scale. This has created a huge cybersecurity threat.
With a particular focus on Indonesian online gambling platforms, Imperva Threat Research has uncovered a coordinated campaign targeting thousands of websites.
The attacks originates from Python-based bots. Observers have noted this trend over the past two months, coinciding with intensified efforts by the Indonesian government to crack down on illegal online gambling.
The researchers observed a remarkable concentration on Indonesian sites. They noted that the campaign has affected web servers worldwide, aligning with recent enforcement actions in the country.
At the heart of this malicious campaign is the deployment of a powerful networking toolkit developed by HackersChoice, GSocket.
The attackers are utilizing a one-liner command to install GSocket on compromised servers. This lets remote connections that bypass NAT and firewalls.
This tool also allows attackers to establish secure TCP connections between hosts, despite network restrictions. The strategy of the hackers involves targeting pre-existing webshells on compromised PHP servers.
The attackers send a high volume of requests to common webshell paths and use known parameters. This increases their chances of locating active webshells to execute commands and install the GSocket toolkit.
Moodle is a well-known Learning Management System. Investigators have identified it as the primary target of this campaign.
Investigators have discovered various backdoored Moodle instances with traces of GSocket infection. The attackers have also implemented persistence mechanisms. These allow them to maintain access even after the removal of initial backdoors.
More investigation showed that attackers are using the compromised servers to host landing pages for Indonesian online gambling services.
The attackers design these pages to be visible only to search engine bots. Meanwhile, they redirect regular visitors to other gambling domains.
This tactic allows the attackers to exploit legitimate websites to promote illegal gambling operations. This makes it challenging for authorities to shut down these activities.
