Obfuscation Through Legitimate Appearances

Recently, I analyzed a malware sample provided by our analyst Edward C. Woelke and noticed that it had been placed in a core WordPress folder. This seemed suspicious, since no such core WP file like it exists: ./wp-includes/init.php

Deceiving Appearances

I started with a standard analysis and my first thought was, this has to be a legitimate file! Nicely structured, with very legit-looking function names. It even used Object Oriented PHP, which doesn’t happen very often in the case of malware.

Continue reading Obfuscation Through Legitimate Appearances at Sucuri Blog.

Read more: Obfuscation Through Legitimate Appearances