Stealthy Magecart malware mistakenly leaks list of hacked stores

Stealthy Magecart malware mistakenly leaks list of hacked stores


A list of dozens of online stores hacked by a web skimming group was inadvertently leaked by a dropper used to deploy a stealthy remote access trojan (RAT) on compromised e-commerce sites.


The threat actors use this RAT for maintaining persistence and for regaining access to the servers of hacked online shops.


Once they connect to the stores, the attackers deploy credit card skimmer scripts that steal and exfiltrate customers' personal and financial data in digital skimming attacks (also known as Magecart).


Sleepy rats in online shop servers


Researchers at Sansec, a security company focused on protecting e-commerce stores from web skimming attacks, said that the malware was delivered in the form of a 64-bit ELF executable with the help of a PHP-based malware dropper.


To evade detection and hinder analysis, the unnamed RAT is designed to camouflage itself as a DNS or an SSH server daemon so that it doesn't stand out in the server's process list.


The malware also runs in sleep mode almost throughout the day, only waking up once per day early in the morning, at 7 AM, to connect to its command-and-control server and ask for commands.



RAT connecting to the C2 server (Sansec)

RAT samples harvested by Sansec from several compromised servers have been compiled by the threat actors behind these attacks on both Ubuntu and Red Hat Linux.


"This may indicate that multiple people were involved in this campaign," Sansec says in a report published earlier today.


"Or, for example, that the RAT source code is publicly available, and possibly for sale on ..