Adrian Hada
ATI Security Researcher

XAttacker–New Web Exploit Tool Found in the Wild

November 14, 2017 by Adrian Hada

Staying on top of new threats is one of the main points of threat intelligence. To this end, when we see new exploits or tools that we can't identify, we quickly set out to find out more about them.

While doing a daily honeypot investigation I came across some traffic attempting to upload a shell called "XAttacker.php". Since this tool was unknown to me, I quickly used Google to see what kind of info I could find. This lead me to the tool's GitHub page:


The tool was uploaded to GitHub on November 7th and already has seven stars and three forks at the time of writing. Its purpose is simple exploitation of different PHP-based CMS platforms – Wordpress, Joomla, Drupal, PrestaShop, and Lokomedia according to the exploits listed on the GitHub page:



The list seems to include 66 different exploits to be used against the various systems. The tool itself is written in Perl and the sources are readily available for anyone planning to reuse this script.

To further convince the audience, the GitHub page links to a YouTube video showing the tool in action against different websites. Interestingly, the YouTube video is dated October 11th and there are plenty of requests for the source to be opened in the comments section.



There is further advertising of it on Twitter and Facebook:



So, the author seems to have created this tool sometime in October, did a quick demo and then released it for public use in November. Our honeypots first picked it up on November 2nd.

Capabilities are not highly advanced but sufficient for any willing hacker's needs. The tool itself does defacement or shell upload for Wordpress, Joomla and PrestaShop.


 Lokomedia is targeted via SQL injection, leading to MySQL version leakage, database credential dumping, some form of password cracking with a known list of hashes, as well as admin panel detection.


In the case of Drupal, it reuses an older exploit to add an administrator account to the system. The exploit code itself is hosted on a fixed server and used to target the vulnerable website.


Using Google dorks, I tried to identify potentially-infected websites and managed to find a couple of hits:


However, further requests for these did not reveal the backdoor. This could be because of disinfection or simply because someone decided to modify the original source code – the vanilla shell checks for an authentication parameter and value before offering the shell to the visitor. A willing attacker could easily customize this combination so that they would be more difficult to detect.

What the attackers currently using this tool are planning is unknown to us at the moment. However, there is somebody already trying to profit from this tool – in a more surprising manner than one might expect. This guy has picked up the toolkit and is peddling it for Bitcoin on Youtube:




The scale of exploitation currently done using this tool seems to be limited. At the moment, we are only counting a handful of attacks from a couple of IPs. However, given that there are over 100 people following each of these two YouTube accounts and over 200 followers on the Twitter account of the toolkit author, this number could increase soon. As a result, we are releasing this information to help defenders stay one step in front of any attackers. This will help make the Internet a safer place for all.

Customers of Ixia’s ThreatARMOR are protected against such attacks thanks to our monitoring of remote actors as they attempt to exploit the Internet. BreakingPoint customers have access to both new and old in-the-wild exploits, via the ATI Subscription.