Posted on May 15, 2021 at 2:21 AM
Magecart Hackers Distributing Malicious PHP Web Shells Hidden on Website Favicon
A new report has revealed that cybercriminals are sending malicious PHP web shells hidden as website favicons. The hackers use PHP backdoors to gain remote access to servers and launch a JavaScript skimmer into online shopping sites to extract sensitive financial information.
Jerome Segura from Malwarebytes wrote of this development, stating, “these web shells known as Smilodon or Megalodon are used to dynamically load JavaScript skimming code via server-side requests into online stores,”
Segura further added that “This technique is interesting as most client-side security tools will not be able to detect or block the skimmer.”
Stealing credit card details
The only hacking organization known for launching such an attack is Magecart. The group includes several hacker groups that attack online shopping carts in a process known as formjacking.
The skimmer is disguised as a JavaScript code for hackers to input in the e-commerce website, mostly on payment sections. Once this is done, the hackers collect the details on a customer’s credit card in real-time and transfer them to a remote server.
The latest attack is different from other skimming attacks in the past. Injecting the skimmers normally happens from the client’s side, which transfers them to a JavaScript report, but the new attack is introduced from the merchant side of the server.
The PHP backdoor is disguised as a favicon (“Magento.png”), and the malware is then executed into the affected sites by changing shortcut icon tags on the HTML code to lead to the fake image file. The web shell is then later disguised to steal details from the external host. The credit card skimmer used in this case is similar to another version dubbed ‘Cardbleed’ used in an attack in September 2020. It is believed the hackers changed the attack after users were publicly made aware of the threat.
Magecart Group tales responsibility
According to Malwarebytes, the attack is linked to Magecart Group 12 after analysing the methods, techniques, and procedures. The report also added that “the newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as recaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.
The group operates with the main intention of extracting and retrieving payment data. The actors have exploited several attack vectors in recent months, enabling them to operate undetected while stealing data.
One of the group’s disguising strategies involves hiding the stealer code for card data on the image metadata and then conducting a series of IDN homograph attacks, which are hidden within the website’s favicon file. The code later exfiltrates the data using Telegram and Google Analytics. Magecart has in recent months enhanced its operating strategy on attacking online stores and stealing data.
Skimming data has become one of the most lucrative practices for threat actors. Another hacking group to participate in this activity is Lazarus Group, which includes state-sponsored hackers who have affiliations in North Korea. The hackers attack websites that accept payments in cryptocurrencies. They conduct the skimming using malicious JavaScript codes that steal Bitcoin and Ethereum through a campaign dubbed “BTC Changer,” which started in January 2020.
The filtration of the data from payment platforms is becoming a critical issue that website users need to be made aware of. However, some attacks are disguised in a manner that even advanced web users cannot uncover.