27 Sep 2021

Kit Hunter 2.0 - Known Detections in WordPress

Filed Under: khdocs

Image: Araki Illustrations - stock.adobe.com

Known detections in WordPress

WordPress is arguably the most common website platform on the planet. However, it is also (thanks to addons and extensions) one of the most openly targeted and attacked website platforms on the planet.

There is a lot that goes into securing a WordPress website, and credit to the developers, the WordPress team takes security seriously. At the same time, the administrators who deploy WordPress also need to focus on security, which means keeping track of the core installation (and using automatic updates), as well as keeping tabs on the updates for addons and extensions.

Many administrators will leverage various tools and scripts to defend their website and webservers, including scripts like Kit Hunter. As such, I wanted to post a breakdown of the core WordPress installation (with no additional themes, extensions, or addons), and show the scan results (minus the exact lines of code) from the current version of Kit Hunter (2.5.9).

Kit Hunter will flag several items in default installs of WordPress. The full scan is below.

What looks to be a clear case of false positives, is actually the exact reason that Kit Hunter exists and works. Criminals are clever, and as much as it pains me to give them any credit whatsoever, it’s a simple truth. Over the years, phishing kit development has only advanced, and among those advancements are the constant use and reuse of legitimate commands and services. For example bin2hex and curl.haxx.se.

While these commands and services are used as markers for phishing kit detection, only some are proof-positive of infection / compromise. This is why each detection requires either a direct examination of the flagged files / folders, or at least an understanding of what exactly is going on your webservers or websites. Awareness and context is a key component of any security plan.

Considering the detections below, including several known brands that are commonly targeted by criminals and phishing kits, Kit Hunter was right to flag the files that it did. This is a solid established baseline as well, since changes to the website or the core installation of WordPress (via update, or manually) could introduce problems. Also, a good rule to remember while scanning is: the more detections there are, the more likely it is that a problem exists.

For example, if under Telegram_Phishing_Exfiltration_Detection you were to see multiple hits, it could be an indicator that someone is exfiltrating data from your website to Telegram, a common phishing technique. Likewise, a brand indication of Microsoft along with indicators of known brand URLs, templating systems, or authors, is also a strong indicator of problems.

At the end of the day Kit Hunter exists to offer awareness and context. So while false positives do happen, and they are scrubbed out during constant testing and tuning on my part, the bulk of detections are legitimate and worth taking a look at, just to ensure that everything is fine.

| ==============================================================================
| Archive Scanned:
|
| /Kit-Hunter-2/Scanner/wordpress-5.8.1.zip
|
| ==============================================================================
| The following files contain known phishing keywords:
| ==============================================================================
|
| File: 'wp-admin/edit-form-advanced.php'
| File: 'wp-admin/includes/class-pclzip.php'
| File: 'wp-admin/includes/class-wp-site-icon.php'
| File: 'wp-admin/includes/continents-cities.php'
| File: 'wp-admin/includes/dashboard.php'
| File: 'wp-admin/includes/deprecated.php'
| File: 'wp-admin/includes/file.php'
| File: 'wp-admin/includes/template.php'
| File: 'wp-content/themes/twentynineteen/classes/class-twentynineteen-svg-icons.php'
| File: 'wp-content/themes/twentytwenty/classes/class-twentytwenty-non-latin-languages.php'
| File: 'wp-content/themes/twentytwenty/classes/class-twentytwenty-svg-icons.php'
| File: 'wp-content/themes/twentytwentyone/classes/class-twenty-twenty-one-svg-icons.php'
| File: 'wp-content/themes/twentytwentyone/inc/template-functions.php'
| File: 'wp-includes/ID3/getid3.lib.php'
| File: 'wp-includes/ID3/getid3.php'
| File: 'wp-includes/ID3/module.audio-video.asf.php'
| File: 'wp-includes/ID3/module.audio-video.matroska.php'
| File: 'wp-includes/ID3/module.audio-video.quicktime.php'
| File: 'wp-includes/ID3/module.audio-video.riff.php'
| File: 'wp-includes/ID3/module.tag.id3v1.php'
| File: 'wp-includes/ID3/module.tag.id3v2.php'
| File: 'wp-includes/ID3/readme.txt'
| File: 'wp-includes/PHPMailer/SMTP.php'
| File: 'wp-includes/SimplePie/Decode/HTML/Entities.php'
| File: 'wp-includes/SimplePie/Enclosure.php'
| File: 'wp-includes/SimplePie/Item.php'
| File: 'wp-includes/SimplePie/Misc.php'
| File: 'wp-includes/SimplePie/Parser.php'
| File: 'wp-includes/SimplePie/Rating.php'
| File: 'wp-includes/blocks/social-link.php'
| File: 'wp-includes/class-json.php'
| File: 'wp-includes/class-simplepie.php'
| File: 'wp-includes/class-snoopy.php'
| File: 'wp-includes/class-wp-editor.php'
| File: 'wp-includes/class-wp-oembed.php'
| File: 'wp-includes/class-wp-theme-json.php'
| File: 'wp-includes/formatting.php'
| File: 'wp-includes/functions.php'
| File: 'wp-includes/general-template.php'
| File: 'wp-includes/http.php'
| File: 'wp-includes/https-migration.php'
| File: 'wp-includes/kses.php'
| File: 'wp-includes/load.php'
| File: 'wp-includes/media.php'
| File: 'wp-includes/ms-files.php'
| File: 'wp-includes/ms-functions.php'
| File: 'wp-includes/pluggable.php'
| File: 'wp-includes/rest-api.php'
| File: 'wp-includes/rewrite.php'
| File: 'wp-includes/sodium_compat/lib/php72compat.php'
| File: 'wp-includes/sodium_compat/lib/sodium_compat.php'
| File: 'wp-includes/sodium_compat/src/Compat.php'
| File: 'wp-includes/sodium_compat/src/Core/Util.php'
| File: 'wp-includes/theme.php'
| File: 'wp-includes/update.php'
| File: 'wp-includes/vars.php'
|
| ==============================================================================
| The following tag file reported matches: Telegram_Phishing_Exfiltration_Detection.tag
| ==============================================================================
|
|           Tag: "$token = '"
|
| ==============================================================================
| The following tag file reported matches: Phishing_Kit_Brand_Indicators.tag
| ==============================================================================
|
|           Tag: 'AT&T'
|           Tag: 'Apple'
|           Tag: 'Dropbox'
|           Tag: 'Facebook'
|           Tag: 'Flickr'
|           Tag: 'Halifax'
|           Tag: 'LinkedIn'
|           Tag: 'Microsoft'
|           Tag: 'PayPal'
|           Tag: 'Reddit'
|           Tag: 'iTunes'
|           Tag: 'imgur'
|
| ==============================================================================
| The following tag file reported matches: Phishing_Kit_Function_Indicators.tag
| ==============================================================================
|
|           Tag: 'PHP_URL_HOST'
|           Tag: 'bin2hex'
|           Tag: 'news-'
|
| ==============================================================================
| The following tag file reported matches: Blockchain_Phishing_Detection.tag
| ==============================================================================
|
|           Tag: 'Theta'
|
| ==============================================================================
| The following tag file reported matches: Phishing_Kit_URL_Indicators.tag
| ==============================================================================
|
|           Tag: 'amazon.co.jp'
|           Tag: 'amazon.com'
|           Tag: 'amazon.de'
|           Tag: 'amazon.fr'
|           Tag: 'apple.com'
|           Tag: 'att.com'
|           Tag: 'btinternet.com'
|           Tag: 'curl.haxx.se'


That's all for now.

-[30]- a.k.a. The End


-[ Return ⬏ ]-