Magecart Mistakenly Spilled the Beans on its Recent Attack

A Magecart skimming group has recently hacked dozens of online stores to deploy an unnamed RAT on compromised e-commerce sites. The advanced RAT was used as a backdoor to hack into e-commerce servers. However, the group made one simple mistake by adding a list of hacked online stores inside its dropper's code, leaking the entire secret.


What has been discovered?

The unnamed RAT is being used by the Magecart group for persistency and regaining access to servers of compromised online shops. Upon infection, the attackers deploy the skimming code that could steal the customers’ personal and financial information.
  • The RAT was propagated in the form of a 64-bit ELF executable by using a PHP-based malware dropper. The RAT can evade detection by camouflaging itself as a DNS or an SSH server daemon.
  • In addition, the malware runs in sleep mode throughout the day, only waking up once per day at 7 AM in the morning. It is done by connecting with the command-and-control server and asking for commands.
  • RAT samples revealed that multiple compromised servers were compiled by the threat actors to target Ubuntu and Red Hat Linux. This indicates that multiple people were involved in these attacks.


Rookie mistake

To err is human. 
  • Upon analysis, along with the usual malicious code used for deployment setups in various Magecart scripts, the PHP dropper’s code revealed a list of 41 compromised stores. 
  • Using this list, researchers were able to reach out to the targeted online stores and inform them that their servers have been infiltrated.


Conclusion

Web-skimmer operators are getting innovative and frequently using new and evolving techniques, making them harder to detect. Thus, experts suggest using client-side application security solutions to regularly monitor all the scripts on the website and scan for suspicious behavior such as digital skimming and Magecart attacks.