A straightforward PHP script called R4gn4r0 Mailer is used to send bulk emails from WordPress websites that have been hacked. It offers capabilities like email address filtering, mass emailing, and blacklist checking and is essentially a clone of the LeafMailer.
The malware is often discussed as a wp-active2.php file.
Simple login form, the password is stored inside the code:
Email filter:
Mass mailer:
It appears as though someone simply added colors and changed the language to Spanish because the source code is nearly identical to LeafMailer.
Emails mentioned inside the source code: [email protected] [email protected] [email protected]
IP addresses that have known to exploit this script: 45.91.20.96
45.91.20.96 - - [27/Sep/2022:23:14:58 +0200] "POST /wp-active2.php HTTP/2.0" 200 10884 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:15:01 +0200] "POST /wp-active2.php HTTP/2.0" 200 131315 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:16:08 +0200] "POST /wp-active2.php HTTP/2.0" 200 22514 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:17:05 +0200] "POST /wp-active2.php HTTP/2.0" 200 32377 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:17:21 +0200] "POST /wp-active2.php HTTP/2.0" 200 32377 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:17:28 +0200] "POST /wp-active2.php HTTP/2.0" 200 15952627 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:23:41 +0200] "POST /wp-active2.php HTTP/2.0" 200 45077 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:23:47 +0200] "POST /wp-active2.php HTTP/2.0" 200 36430158 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"
45.91.20.96 - - [27/Sep/2022:23:30:53 +0200] "POST /wp-active2.php HTTP/2.0" 200 45077 "https://somedomain.rs/wp-active2.php" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36"Was this post helpful?
Let me know if you liked the post. That’s the only way I can improve. 🙂
