Symchanger Malware Description
Symchanger Malware is a mass compromise tool that is being offered to threat actors for free. It was promoted through a Facebook group that also included a tutorial video on how to use the threat. Of course, as is usually the case, there is a catch - Symchanger includes in its code a backdoor functionality. After all, why can't one threat actor exploit the efforts of other cybercriminals?
At its core, Symchanger Malware is a PHP code that is most likely taken from existing malware threats. The only meaningful modification is the backdoor inclusion. The malware employs several different layers of obfuscation and code checks during its execution to hide its true nature. Symchanger's activity begins with a search for popular configuration file names such as WordPress, Joomla, Drupal, and WHMCS. When a suitable file is discovered, the threat creates a symlink to a '.txt' file. Symchanger will attempt to access /etc/passwd, and if successful, it will extract the contents for a list of all the existing users on the particular Web server. Then, it will execute a foreach loop to harvest the credentials of each user. Finally, Symchanger will inject a threatening admin user into every individual database that it has successfully established a connection.
For the average threat actor, Symchanger's threatening functionality ends with the cross-contamination capability. However, hidden inside the underlying code of the threat is a separate ability - the malware threat will send out five email messages to multiple email addresses through the already compromised Web server. The creators of Symchanger will receive various sensitive data - stolen credentials, directory listings, and the URL to the specific symchanger.php file that has been executed, allowing them to establish unauthorized access to the websites compromised by the malware tool.