A recent security lapse has unveiled the internal workings of an active malware distribution platform, all due to an unsecured PHP installation page. This oversight granted a security researcher unintended administrative access to the threat actor’s dashboard, shedding light on the platform’s operations.
The discovery began during routine validation of Indicators of Compromise (IoCs) and web enumeration. The researcher identified several sensitive directories, notably an exposed installation endpoint at “/install/install.php.” This misconfiguration allowed the PHP installer to be rerun on a live production system, a critical security flaw.
By reinitializing the application with a controlled MySQL instance and providing the installer with connection details, the researcher was able to create a new database schema and set up an administrator account. This process effectively granted full administrative access to the platform.
Upon accessing the dashboard, the researcher initially encountered a 500 Internal Server Error due to inconsistencies between the application and the newly configured database. However, after the threat actor restored the backend configuration, the researcher regained access without needing to log in again. This was possible because the application relied on server-side session handling without properly invalidating active sessions, allowing the previously issued session token to remain valid.
Further analysis revealed that the platform was a functional malware distribution system. It comprised a PHP-based admin panel connected to a MySQL database, with file storage used to host malicious payloads. The system generated dynamic download pages based on URL parameters and employed multi-stage redirection chains to route victims. In several instances, intermediary services were used before redirecting users to the final malware-hosting domain, aiding the attackers in evading detection.
The administrative dashboard featured tools for managing downloads, tracking visitor activity, and configuring campaign settings, indicating a structured operation rather than a basic phishing setup. Despite its functionality, the infrastructure suffered from weak security practices, particularly around deployment and session management.
Indicators of compromise (IoCs) associated with this platform include domains such as `micronsoftwares[.]com` and `wetransfer[.]ICU`, as well as the SHA256 hash `7b03fb383a5ce784a3cb9b0f8a76a84e984d14e553de5d98faff3d07d9793085`.
This incident underscores the importance of securing installation scripts and enforcing proper session controls. Even active threat actor infrastructures can be compromised by simple misconfigurations, highlighting the need for robust security practices in all web applications.
