Whitespace Steganography Conceals Web Shell in PHP Malware
Last November, we wrote about how attackers are using JavaScript injections to load malicious code from legitimate CSS files.
At first glance, these injections didn’t appear to contain anything except for some benign CSS rules. A more thorough analysis of the .CSS file revealed 56,964 seemingly empty lines containing combinations of invisible tab (0x09), space (0x20), and line feed (0x0A) characters, which were converted to binary representation of characters and then to the text of an executable JavaScript code.
Continue reading Whitespace Steganography Conceals Web Shell in PHP Malware at Sucuri Blog.