A web skimming group has hacked a list of dozens of the online stores. A dropper had mistakenly leaked the list of the online stores who used to deploy a crafty RAT or Remote Access Trojan on the compromised e-commerce platforms. The cybercriminals utilize this RAT in order to maintain persistence and also to regain access to the servers of the online shops that are hacked through digital skimming attacks or MageCart malware attacks.
As soon as they get connected to the online stores, the attackers deploy the credit card skimmer scripts which steal and exfiltrate the personal and financial data of the customers in the various digital skimming attacks.
The researchers at Sansec (a cybersecurity company aiming at protecting the e-commerce stores from the MageCart malware attacks) commented that the MageCart malware had been delivered in the form of a 64-bit ELF executable taking the help of a PHP-oriented malware dropper.
In the bid to avoid hinder analysis and detection, the unnamed RAT has been designed to camouflage itself as a DNS or an SSH server daemon. This helps it to not stand out of the server’s process list. A striking feature of the MageCart malware is that it runs in the sleep mode all throughout the day. It only wakes up once per day in the early morning at 7 am sharp, connects to its command-and-control server and craves for commands.
Sansec had harvested RAT samples from various compromised servers, and they have been compiled by the threat actors behind such attacks on both Red Hat Linux and Ubuntu.
“This may indicate that multiple people were involved in this campaign,” Sansec says in a report published earlier today.
“Or, for example, that the RAT source code is publicly available, and possibly for sale on dark web markets.”
The hackers had used quite an advanced RAT malware as a backdoor into the hacked e-commerce servers. But the MageCart group had also made a rookie mistake by including a list of the hacked online stores inside their dropper’s code.
Sansec had hijacked the RAT dropper of the attackers and had found that it had also comprised a list of 41 compromised stores aside from the usual malicious code. These had been used to parse the deployment setups for various MageCart scripts.
This could be explained by the fact that someone had coded the dropper who seemingly had a lot less PHP experience as
“It uses shared memory blocks, which is rarely used in PHP but is much more common in C programs.”
Sansec had also reached out to the online stores that had been included in the MageCart malware code of the dropper in the bid to let them know that their servers had already been infiltrated.
In the last couple of months, the Sansec researchers have discovered several MageCart skimmers and as well as the malware samples that had employed innovative tactics to evade detection or for persistence.
A credit card stealer script had been found in three separate stores that were still active when a firm had reported the information about it last week. It hides in the plain sight on the compromised sites utilizing the CSS code. This is because it avoids being discovered through conventional methods like manual security code audits and automated security scanners. Recently, they have also found the capabilities of the web skimming malware of camouflaging as the SVG social media buttons and a credit card stealer who is almost impossible to get rid of bundling a persistent backdoor.
Source: Bleeping Computers
Disclaimer: Read the complete disclaimer here.