The Latest in IT Security

GetMama – Conditional malware affecting thousands of sites


We have been tracking an interesting malware that is affecting thousands of compromised sites. We call it GetMama!!

Why conditional? Because instead of just displaying the malicious code to all the visitors of the web site, it connects back to its command and control server to find out what to do. It also sends back to the attackers the IP address, user agent and referrer of the person visiting the compromised site, so the command and control can determine if it should display the malicious content or not.

It also only displays the malicious content once a day per IP address and only to Windows users.

Why GetMama? Well, that’s how the malware authors called their own function (see sample in the bottom of the post).


Those are the command and control IP addresses. I recommend checking for traffic to these IP addresses and blocking them if possible:

For every request to the compromised sites, there will also be a random call to one of those. The called URL would look something like


This is final decoded malware that gets executed on the compromised sites. For every request, it connects back to the attackers to determine what to do. The action could be to inject malware in the site, run a command in the server (it also acts as a backdoor) or to do nothing.


Note that the malware will not look like that (all pretty) on the compromised site. It can be encoded like this:

$VDNjO60q6FJNnaRjb6MS3d5d= array(‘7920′,’7937′,’7916′,’7927′);$eVlnlmOOZXsWOJTjjxwj=
$X7ry2SBupAHs89a1Fj06AYlUg2RO3VPSS6hKOI548Dm =

As you can see, its not using any of the normal “eval ( base64_decode” calls that webmasters are used to looking for. This malware has also evolved and it can be hidden in different ways.

We will post more details as we learn more about it.

Leave a reply


FRIDAY, JULY 10, 2020

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments