On January 28th, I received an email while auditing the site that detailed a web-shell backdoor. I promptly deactivated the site and contacted the security team for my hosting. I located the malicious file and started decoding its obfuscation. Upon de-obfuscating, I looked at the code which connected to a Chinese domain but seemed benign as the back-end does make references to a Chinese website for managing the license for KodBox. I also made a server in a virtual machine to test how the software interacts with the internet and did not notice any strange requests or uploads. The software has been reverse engineered and is deemed safe.
Me and the hosting company worked to find why the software was flagged by the system, it was labeled suspicious because of its obfuscation.
If anyone wants to look at the code, i’ll put the sample below (Keep in mind that it won’t just run on your computer upon downloading. It’s safely stored in a text format, opening it would just display the code and not run it.)
Leave a Reply