/ TitanHQ Blog
/ Stealthy Magecart Malware Mistakenly Leaks List of Hacked Stores
Posted by Trevagh Stankard on Thu, Mar 25th, 2021
A remote access trojan (RAT) gives attackers full control of a computer, but even sophisticated malware attackers make mistakes sometimes. In a recent ongoing cyber-incident where attackers hacked multiple Magecart servers, the RAT installed on a remote host gave clues to researchers that allowed them to identify every hacked server targeted in this specific campaign.
Advanced Persistent Threats and RATs
Most eCommerce site owners know about malware and the implications of leaked administrator credentials, but they don’t have the tools in place to detect RATs. A RAT installed on a server allows an attacker to stay persistent on the eCommerce store and collect data indefinitely either until the site owner makes changes that interrupts the RAT’s functionality or until an expert finds the malware.
Using RATs, attackers can potentially have access to servers for months and collect all customer information sent to the site including financial data and private customer information. It’s an effective way for attackers to silently eavesdrop on data without the site owner or user finding out.
In this particular attack, the RAT installed credit card skimmers to siphon credit card information from the site and send it to an attacker-controlled server. Any customer who entered credit card information into a hacked site would have been vulnerable to identity theft without and evidence that data was taken as they submit it to the Magecart server.
Even Sophisticated Hackers Make Mistakes
Sophisticated attacks are difficult for small site owners to detect, and it’s why this particular attack targeted small Magecart sites. The attacker had a collection of compromised servers included in code. Including the compromised sites was a mistake for the attacker. When one site was investigated and code reviewed, researchers could then identify and notify ever other site owner of the breach.
What made this RAT difficult to detect is that it would stay silent on the server until the early morning where it would connect to a remote command server where attackers could give the malware instructions. It also stayed hidden by masquerading as an important DNS service deamon, so an untrained administrator would think it was a legitimate service and leave it running. The running daemon is important for the malware to connect to a remote server and allow attackers to send it commands throughout the day.
The “Magecart skimmers” worked similarly to a credit card skimmer used at gas station pumps. As users entered information, it would be sent to the ecommerce site, but a copy of the information would also be sent to an attacker-controlled server. It’s not confirmed if sites communicated with each other, but all sites compromised were included in any code injected into future compromised server code.
How Can Site Owners Protect Their Ecommerce Stores?
Malware installed on ecommerce servers often persist for months. Small site owners rarely have any monitoring tools installed, and they rarely review their site code for anything suspicious. This leaves site owners vulnerable to losing hundreds or thousands of customer records to attackers and losing their reputation and customer trust after the incident is disclosed.
To top these attacks, site owners must stay offensively aware of cybersecurity issues. The first step is to avoid being a victim of a phishing attack, which is usually the traditional way administrator credentials are stolen and attackers can install malware. Email filters that detect phishing attacks will stop these malicious email messages from reaching site administrator inboxes, which reduces phishing risks.
Phishing attacks are often the start of a successful compromise, even for large companies. Some administrators choose to change the main administrator account to their own unique account name so that scripts and phishing administrator credentials would be unable to gain access unless the attacker can successfully phish for credentials.
The next step is to install monitoring services. Every large cloud provider offers monitoring services that can be used to detect suspicious activity, installations, non-standard daemons allowing incoming connections, and altered code. Although site owners might need the help of experts to remove an APT, monitoring services will still let administrators know a compromise is in action.
The final solution is to regularly review code for any strange additions. Administrators can manually monitor files on the server to detect any newly added executables or unknown application files. In this attack, PHP files were added to the server, and these files contained the malicious code executed on the Magecart server. With a trained eye, these files can be detected and removed before malware can install and steal data.
Avoid becoming a victim of a harmful malware attack with the help of TitanHQ. SpamTitan Email Protection filters all emails for potential malware and threats. View SpamTitan Demo.