New Golang brute-forcing malware used to target Magento E-commerce sites
- This unnamed malware attempted brute-forcing websites powered by Magento, phpMyAdmin, and cPanel frameworks.
- The Golang-based malware was also complemented with a binary written in Delphi.
A new malware has been spotted by security firm Malwarebytes, which is making rounds in the e-commerce space.
Primarily written in Golang version 1.9, this unnamed malware relied on brute-forcing to exploit shopping websites. In its analysis, the firm mentioned that sites mostly managed by Magento were affected. Malicious code injected into these sites to compromise user information.
- As soon as users enter their address and payment details, this data was exfiltrated to a site called googletagmanager[.]eu, which is linked to Magecart.
- A part of Golang malware is connected to these sites. Another binary written in Delphi complemented the communication. The malware is found to be associated with many malicious domains.
- Once initiated, the Delphi binary collects system information and then beacons them to C2 servers, following which it downloads the malware payload.
- The malware installs itself to the system and proceeds to conduct brute-forcing. During the execution, it connects to a rogue IP address and informs that the affected computer is ready for other malicious tasks.
- Similarly, it infected sites managed by phpMyAdmin and cPanel.
Why it matters?
“Brute force attacks can be quite slow given the number of possible password combinations. For this reason, criminals usually leverage CMS or plugin vulnerabilities instead, as they provide a much faster return on investment. Having said that, using a botnet to perform login attempts allows threat actors to distribute the load onto a large number of workers,” said Jerome Segura, the researcher behind the malware’s analysis.
Therefore, it is suggested that site owners relying on content management systems (CMS) such as Magento, keep their sites updated with the latest security patches.