Cybercriminals targeting obsolete Japanese blogging tool

Cybercriminals are very actively targeting web sites which are not well-managed, so as to abuse them for their malicious activities. Damage to web sites in Japan has increased since last year, which is alarming to Japanese Internet users. Kaspersky Labs Japan has observed more than 2,800 compromised web sites between January and March 2014.

WordPress is a popular blogging tool worldwide, but it is often plagued by vulnerabilities which can result in compromised web sites . A similar Japanese-made tool, “Web Diary Professional” (WDP), also experiences such problems. WDP is widely used in Japan, with its Japanese user interface and tutorials.However, it is no longer supported.

Official EOS announcement of WDP:


A new tool has already been introduced as its successor, and the developers have recommended that people migrate. However, a significant number of web site administrators are still using the obsolete WDP, exposing themselves to the threats of cybercriminals.

I tried a Google search using specific keywords that indicate the possibility that WDP is being used, and found approximately 500,000 web sites (as of April 2014). Of course, not all these web sites are vulnerable, and some may be duplicates. However, from a check of the results (web sites at the top of the search results), most of them used WDP and there were only a few duplicates.

On investigation, almost 80% of the live WDP-based web sites were found to have a problem. Specifically, a file which contains a hash of the password for user authentication could be viewed from the outside. If the password was a simple one, it is very easy to decrypt it using a password cracking tool.

Some web sites with the problem:


The WDP package has a file which contains user account information (user account, password hash and permission). The problem is: anybody can see the file by default.


List of URLs with the hash of administrator passwords:

  • ak********* : J1wmEoM.bkL**
  • ho******** : M8E16gZ2Ewb**
  • ku*********** : I17D74cikmT**
  • sp******************bu/blog/ : aS1WTP.kHtM2**
  • ts******* : N5S6jTCx/jm**
  •*** : M5KnJS9KBGr**
  • www.ed************* : L9axf8TE5Vz**
  •***** : X4YGGUaW3gz**
  • www.ta***** : J7EnglocxcP**
  • www.te**** : B3bgZ6bilnO**

With a password cracking tool, a simple password can be cracked in a very short time.

To see how easy it is to do, let’s take a look at a sample hash produced in my test environment:


Result of password cracking tool shows:


An attacker could get web administrator permission this way.

As the result of an attempt to decrypt the list of password hashes with the tool, 26.61% of the hashes were decrypted into the original passwords in a short time.(3 hours)

  • 1234 (*****
  • 1234 (******
  • 6636 (ts*******
  • 0123 (www.uc*****
  • 0123 (www.yo*********
  • mayu (gc**************
  • 12345 (***********
  • 1122go (www.os*******
  • n24w17 (****
  • kurosaki (ku***********

Once the attacker knows the administrator’s password, he is able to edit the web site as he wishes. Actually, I found several web sites being manipulated. On such web sites, there were spamming tools, files that show messages of attackers, DDoS tools, backdoors, etc. It is easy to assume that these web sites have been abused by someone with malicious intent.

An example of a tampered web site:


An attacker’s message:


DDoS attacking tool:


Backdoor Web shell:


The worst case observed was a sample of a cloud service. Hundreds of web sites seemed to be hosted and were operating on a single server with this service, and a backdoor was installed on one of the web sites. Using this backdoor, an attacker can manipulate other clean web sites on the same server, possibly tampering with them or stealing important data.



Once again, the support for WDP has already been terminated, and the developer has been recommending that its users migrate to the new tool. For those who have some reason to keep using WDP, the developer has kindly introduced a method of enhancing security. In case you are still using the obsolete WDP with your web site or service, it is highly recommended to take measures as soon as possible in order not to become a victim or an unwitting perpetrator.

Kaspersky Lab products detect the set of malicious tools (backdoors, etc.) found in this research as:

  • Backdoor.PHP.PhpShell.*
  • Trojan-Spy.PHP.PhPen.*
  • Backdoor.PHP.C99Shell.*

Cybercriminals targeting obsolete Japanese blogging tool

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox