A malicious PHP script found on over 5,000 compromised websites has been fingered as the source of a large-scale spam campaign that has been silently redirecting users to web pages hosting diet and intelligence boosting pills.
The purpose of this script is to keep hacked sites under the control of a group of cyber-criminals, and manage dynamic redirections to various spam campaigns.
The script is part of the infrastructure of a voracious spam botnet named "Brain Food." The spam campaigns pushed by this botnet have been spotted as far as March 2017, but its operations were dissected last week by Proofpoint researcher Andrew Conway.
Conway says botnet operators compromise websites and leave this script behind. The script allows them to execute code on demand, but its primary role is to act as a redirection point in large-scale spam operations.
Brain Food botnet admins operate by sending email spam to victims containing short links to these PHP scripts on various hacked sites.
If a user clicks on the short links, they arrive on the PHP script, which redirects the user to another hacked site hosting web pages for diet and intelligence-boosting pills, usually containing fake branding.
The PHP scripts are capable of receiving new "redirection targets" from the Brain Food operators based on the most recent spam campaign they are pushing. The scripts also collect click-through statistics for each campaign.
Conway says he's been tracking over 5,000 sites containing copies of these PHP scripts, with the vast majority found on GoDaddy's network. Over 2,400 were active last week, according to Conway.
The botnet doesn't seem to be living off specific vulnerabilities on certain CMS platforms. Conway says Brain Food is comprised of hacked sites running on a multitude of platforms, such as WordPress, Joomla, and others.
The script's code is also polymorphic and obfuscated with multiple layers of base64 encoding. Furthermore, it also includes protection against automatic Google indexing, responding to Google's search crawler with a 404 code "page not found" error.
While the botnet is harmless for end users, pushing only spammy content, it is dangerous for infected sites, mainly because of its backdoor-like capabilities that allow the botnet operators to execute any code they want at any time.
IOCs for the Brain Food botnet's command and control servers are available in Conway's report.
Image credits: Kelcey Hurst, Bleeping Computer