On September 8th 2021 I discovered a backdoor in a Composer package for generating QR codes in the Laravel framework. The package
laraveli/qr-code contains malware that attackers can use to remotely execute code on a compromised website or install and access a web shell. The code was traced back to a second package which also contains malware,
Fortunately, the package doesn't even work if you follow the installation instructions because it's missing a dependency,
werneckbh/qr-code. More on that in a minute. Once I added the required package I was able to explore how this backdoor is intended to work. The malware is contained in the
boot() method of the
Because Laravel calls the
boot() method of this service provider automatically, the backdoor can be accessed on any page of the site by simply appending
?run=[command] to the URL. The result is unrestricted remote command execution.
Additionally, if you pass
console as the command a web shell gets retrieved from a Gist on GitHub and installed in the site's web root directory. The shell requires a login (thankfully), but that can be found in the shell's source code. Getting the password correct required cracking the MD5 hash or, you know, Googling it.
So where did this code come from? First, let's talk about the legitimate code the package is based on. If you look at the code comments and README they contain this copyright:
Copyright 2018 Bruno Vaula Werneck. It turns out Bruno Werneck is the author of two QR code packages:
werneckbh/qr-code (the missing dependency mentioned above) and
werneckbh/laravel-qr-code, which contains the exact same code as
laraveli/qr-code (minus the malware).
So where did the malware come from? The package was published by a shell account with no other activity or author information, however the shell login username and the user's GitHub avatar both provide a clue: fr3on.
According to GitHub, fr3on is a handle for an Egyptian PHP developer named Ahmed Mardi. Ahmed's Facebook account even includes the same fr3on avatar we saw on laraveli's GitHub profile.
Looking through Ahmed's GitHub account it became clear that he likes web shells, but I also discovered a second Composer package he published that contains malware:
fr3on/neutron contains no legitimate or useful code, but it does include a variant of the backdoor we saw initially.
This backdoor provides remote command execution via the same
?run=[command] URL parameter, but it also beacons back to
hxxp://insta.fr3on[.]info/ with information about the compromised website including the hostname, URL, server OS and architecture, and the user that's executing the PHP script. The C2 domain is flagged as malicious by one vendor on VirusTotal.
I notified Packagist.org about these two malicious packages on September 11th, 2021. Both packages were removed on September 12th, 2021.
Indicators of Compromise