Magento credit card stealer Reinfector allows reinfect sites with malicious code

Cybercriminals used the ‘credit card stealer reinfector’ to reinfect the websites and continue to steal personal and financial data.

Researchers at Sucuri reported crooks are using a very simple evasion technique to reinfect Magento websites after their malicious code has been removed.

Cybercriminals have devised a method to hide the malicious code, the ‘credit card stealer reinfector’, used to reinfect the websites and continue to steal personal and financial data.

The credit card stealer reinfector is hidden inside the default configuration file (config.php) of Magento installs, it is included on the main index.php and is loaded with every page visited by the users, this process ensures that the code is re-injected into multiple files of the website.

Researchers highlighted that the config.php file is automatically configured during the installation of the Magento instance and usually administrators or website owners don’t change it.

“This code is a prime candidate for infections once it is included right on the main index.php, loading at every page.” reads the analysis published by the experts.

“On the first block, we have a function called “patch” that writes content into a file (patching it). This function is then called to write externally obtained content into specific files related to the payment process or user control:

/app/code/core/Mage/Payment/Model/Method/Cc.php

/app/code/core/Mage/Payment/Model/Method/Abstract.php

/app/code/core/Mage/Customer/controllers/AccountController.php

/app/code/core/Mage/Customer/controllers/AddressController.php

/app/code/core/Mage/Admin/Model/Session.php

/app/code/core/Mage/Admin/Model/Config.php

/app/code/core/Mage/Checkout/Model/Type/Onepage.php

/app/code/core/Mage/Checkout/Model/Type/Abstract.php

The malicious code also obfuscates external links in a way that a simple variable replacement and base64 decoding can read it”

The malicious code was stored on Pastebin, this choice allows attackers to remain under the radars.

Experts pointed out that the reinfector code they analyzed is able to bypass security scanners.

“The mechanism the attackers add “error_reporting(0);”is very interesting. It avoids any error leading to the discovery of the infection.” states the post.

The patch() function is used to inject the malicious code for stealing confidential information into Magento files, it uses 4 arguments (The path of a folder, the name of a file stored in that path needs to be infected, file size that is used to check if it is necessary to reinfect the given file, a new file name to be created, and the remote URL from which the malicious code will be downloaded.

Experts noticed that the base64_decode() function is split in multiple parts to evade detection from security scanners.

“As a rule of thumb, on every Magento installation where a compromise is suspected to have taken place, the /includes/config.php should be verified quickly. We advise you to do it first thing. Many times, removing just the infection that you have a main concern about is not enough. You should always assume someone is out there ready to catch you off guard.” conclude the researchers.

“For Magento infections like this one, you can use our step-by-step guide on how to identify a hack and clean a compromised Magento site.”

Pierluigi Paganini

FAIR USE NOTICE: Under the "fair use" act, another author may make limited use of the original author's work without asking permission. Pursuant to 17 U.S. Code § 107, certain uses of copyrighted material "for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright." As a matter of policy, fair use is based on the belief that the public is entitled to freely use portions of copyrighted materials for purposes of commentary and criticism. The fair use privilege is perhaps the most significant limitation on a copyright owner's exclusive rights. Cyber Defense Media Group is a news reporting company, reporting cyber news, events, information and much more at no charge at our website Cyber Defense Magazine. All images and reporting are done exclusively under the Fair Use of the US copyright act.

Global InfoSec Awards 2022

We are in our 10th year, and these awards are incredibly well received – helping build buzz, customer awareness, sales and marketing growth opportunities, investment opportunities and so much more.

APPLY NOW

10th Anniversary Exclusive Top 100 CISO Conference & Innovators Showcase

X