A follower, which is btw a sys-admin or a jack of all trades, says he has a malware sample for analysis, Saturday night that is, and if anyone is willing to analyze it should drop him a DM. I did. I got a zip containing some logs, a PHP script poorly deobfuscated and the original PHP script with the code “obfuscated”.
StealRAT description can be found here.
I have to note though two things. The mails were sent in March 2014. This is a long time after the first detection which means two things. Either someone came back from the dead or some people never efficiently cleaned their infected servers. If the latter is true and you don’t know who to blame then stick with your admin.
The site was a Joomla 2.5. I don’t know how they managed to get in because I have no logs but if you have any Joomla 2.5 installations check their plugins and core for any 0days. I don’t think this is a 0day though.
Anyway, deobfuscated source can be found here