Server-side requests to malicious domain conceal malware from endpoint security tools


UPDATED Novel credit card skimming malware that easily evades client-side detection has been deployed against e-commerce sites running unsupported versions of Magento, security researchers have found.

The campaign has been attributed to Magecart Group 12, since it uses infrastructure previously linked to the group and the new malware is disguised as a favicon – an image file containing a brand logo displayed on browser tabs.

The new strain, which has the file name ‘Magento.png’, gains a foothold on target websites via a PHP web shell, unlike similar favicon-imitating skimmers that hide malicious JavaScript code.

End of the line

Jérôme Segura, lead malware threat intelligence analyst at Malwarebytes, told The Daily Swig that his team detected the malware on “a few dozen sites” running Magento 1, “which was enough to see a pattern”.

The latest and final Magento 1 version is still estimated to power nearly 53,000 e-commerce sites, almost 11 months after Adobe discontinued support for the release line.

Magecart 12 threat actors were also blamed for a wave of attacks in September 2020 that leveraged another innovative skimmer, dubbed ‘Ant and Cockroach’ by RiskIQ, and impacted approaching 3,000 domains running Magento 1.

BACKGROUND Magecart attacks: Cat-and-mouse game continues between cybercrooks and law enforcement

The prolific group has also been credited with the use of a decoy Cloudflare library and the covert installation of cryptocurrency miners on vulnerable websites.

“One aspect that we still aren't quite sure about is whether they are directly implicated in the compromise of websites,” said Segura. “It's quite possible that they buy access to sites where shells have been uploaded already.”

Sneaking through server-side

Magecart-style attacks traditionally use web injections to deploy JavaScript code on Magento websites and exfiltrate payment card information from customers.

According to Malwarebytes’ latest research, the Magento.png attack uses PHP web shells called ‘Smilodon’ or ‘Megalodon’ to dynamically inject JavaScript skimming code into the target site, according to a blog post published by Segura last week.

Requests to the malicious domain are done server-side, circumventing detection or blocking by client-side security tools.

Read more of the latest security research news from around the world

The “domain/IP database approach” commonly deployed to thwart conventional client-side skimming attacks would not work against the new malware “unless all compromised stores were blacklisted, which is a catch-22 situation”, reads the blog post.

An alternative approach, inspecting the DOM in real time and detecting when malicious code has been loaded, is “more effective, but also more complex and prone to false positives”, added Segura.

Faulty PHP script

Magento.png “attempts to pass itself as ‘image/png’ but does not have the proper PNG format for a valid image file”, he continued.

Vulnerable sites are compromised “by replacing the legitimate shortcut icon tags with a path to the fake PNG file.”

However, Segura noted that “in its current implementation this PHP script won’t be loaded properly”.

Some sites infected “already had an existing skimmer in place,” the researcher told The Daily Swig. “The PHP shell could have been triggered in a number of ways and we did find it odd that it was tied to the favicon. In previous attempts we had seen malicious JavaScript loaded inside the favicon placeholder which made sense, but this PHP wasn't meant to work the same way.

“Nevertheless, this campaign gave us some good insights into what the malware can do and what potentially lies ahead. As defenders are blocking web skimming infrastructure at a rapid pace, it makes sense to perform skimming and data exfiltration out of the client-side scope where security products work.”

Segura also urged online merchants to keep their stores “up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers place in them”.

According to a scan of Magento websites performed by cybersecurity firm Foregenix in July 2020, a few days after vendor support was discontinued, 79.6% of malware-infected domains were running Magento 1.

This article was updated with comments from Jérôme Segura of Malwarebytes on May 17

RELATED XSS in the wild: JavaScript-stuffed orders used to compromise Japanese e-commerce sites