UPDATED 10:34 EST / OCTOBER 11 2023

SECURITY

New Magecart malware concealment tactics, hiding inside web status page

The malware group behind Magecart continues to be on the cutting edge of hiding in plain sight.

A report this week from Roman Lvovsky, an Israeli security researcher at Akamai Technology,  demonstrates three obfuscation techniques that have been recently spotted by their telemetry. Magecart has been operating for years infecting various e-commerce websites, most notably those running Magento and WooCommerce. These new methods have targeted sites run by food and other retailers.

Magecart’s operators have a three-stage workflow that is shown in the diagram below. This makes it harder to detect and neutralize, since many code scanners won’t immediately flag the injected code. The workflow also makes it easier to hide the full attack infrastructure and command servers, thereby prolonging the attack.

Magecart attack

The malware uses the loader stage to directly insert its code into the web server’s pages. Subsequent stages are used to steal data, such as customer credit card numbers and passwords.

One of the techniques is novel and hasn’t been seen before, at least according to Lvovsky. “It really surprised us,” he wrote in his post.

The first-stage loader is disguised as a Meta Pixel piece of code, a legitimate Facebook visitor and advertising tracking service that’s employed widely. The piece of code easily eludes malware scanning tools.

What makes this technique dangerous is that later stages appear to summon the 404 error page of a bad URL location. Although these pages are frustrating and seen often by web visitors, this page carries a hidden piece of the malware. “It was initially confusing and made us wonder if the skimmer was no longer active on the victim websites we found,” he wrote.

But a thorough search through the 404 code found the actual attack processes hidden in a comment string. What Lvovsky found was that the attacker had alerted the default 404 error page script so that any website error would bring up the infected page. This is quite clever and shows that it can be accessed by a variety of tools used by Magecart operators to conclude their attacks and steal data.

One of the reasons for Magecart’s staying power is that its operators are continuously evolving their attack methods, becoming more sophisticated and dangerous in finding better evasion methods. Perhaps now users will examine even their error pages for potential threat sources.

Image:MaxPixel, Akamai

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU