Hackers found using new evasion technique to reinfect Magento sites with malicious code

Hackers have come up with a new technique to reinfect Magento sites with malicious code and continue stealing data, even after it has been removed. In April, researchers identified at least 1000 Magento sites were hacked by cybercriminals and infected with malicious scripts to steal financial and personal data or deliver additional payloads.

Flashpoint researchers said the sites were being compromised via brute-force attacks using common default Magento credentials. Now, researchers at Sucuri have found hackers attempting to reinfect the websites even after the malicious code has been removed.

Cybercriminals have devised a method to hide a piece of malicious code - a 'credit card stealer reinfector' - to reinfect Magento sites and continue their nefarious activities. The reinfector code is hidden inside the default configuration file, config.php, of Magneto installs. It is included on the main index.php and is loaded whenever a page is visited by users.. This ensures that the code is re-injected into multiple files of the website.

“A default config.php file should not be changed by the site owner directly. All the code is added by Magento itself. That is why seeing this code on the file already triggers a warning,” Sucri researchers said. “The malicious code also obfuscates external links in a way that a simple variable replacement and base64 decoding can read it, but it makes it less obvious for the untrained eye.”

Researchers highlighted the malicious code is often stored on pastebin to “keep their infections more ‘low-profile’ and make detection harder.”

“Looking at all the content stored on pastebin[.]com, we found very common variations of malware that intend to steal passwords and credit card information then send them off to external domains for processing or sale,” researchers noted. They also found the reinfector code has an “error_reporting(0)” mechanism to bypass security checks and avoid an accidental error leading to its discovery.

Users have been advised should immediately verify the ' /includes/config.php' on every Magneto installation where a compromise is suspected to have taken place.

“Many times, removing just the infection that you have a main concern about is not enough. You should always assume someone is out there ready to catch you off guard,” researchers added.