AS4 - PHP Zerodium Backdoor

In March 2023 it was discovered that a bad actor succeeded to infect the official PHP code with a backdoor. PHP is one the most common technologies for web applications - a succesful attack would have meant taking over millions of servers.

To Campaign Map

Techniques:

Reconnaissance

T0137 - Weak Authentication Methods

As part of the action items after the breach was to enable MFA

T0137 page

Initial Access

T0180 - Compromise Services / Servers

PHP Git server was maitained by the PHP developers. After the breach they decided to move to Github.

T0180 page

Defense Evasion

T0195 - Spoofed Commits

The attackers tried to impersonate two PHP developers

T0195 page

Impact

T0191 - Malicious Code In Artifacts

On March 28th, 2021, two commits to the source code of PHP were more than extraordinary. They contained a backdoor which would execute if HTTP_USER_AGENTT string starts with ‘zerodium’.

T0191 page

Resource Development

T0111 - Malicious Code Contribution To An Open-Source Repository

T0111 page

Execution

T0172 - Runtime Backdoor

The backdoor would execute commands when a http request with user-agent zerodium was sent

T0172 page

Campaign Links:

https://www.lifars.com/2021/03/official-php-git-repository-was-compromised/

LEGEND

PHP Zerodium Backdoor

PHP Userss