A New Self-Healing Malware Targets Online Shops

The Security experts have found a new malware strain that is targeting online shops which are running on Magento, one of the very popular e-commerce platforms. What sets this malware apart from others is the fact that it can self-heal by using its code hidden in the database of the website.

According to the researchers, this is not the first web malware which hides code in the database of the website, but it is first written in the SQL, as a procedure.

How does this work? Well, whenever the user places an order, this malware starts execution. Then, this malicious database trigger executes before Magento platform and even puts together PHP and assembles the page, reads a blog post which was signed by Willem de Groot, researcher who analysed the malware discovered by Jeroen Boersma.

In the query, he says, checks for existence of this malware in footer, header, copyright, and in every CMS block. If this doesn’t find anything, it then re-adds itself.

“The discovery shows us that we have entered a new phase of this malware evolution. Just scanning files is barely enough anymore, latest malware detection methods should now include database analysis also,” de Groot writes.

The malware which is affecting these stores is using the Magento platform can steal user card information, which puts quite a lot of people at risk. The SQL part of the code, however, makes sure that the malware survives as long as possible on the platforms.

Web security firm High-Tech Bridge CEO Ilia Kolochenko told Softpedia that excluding highly-sophisticated targeted attacks, almost every modern malware can be pretty easy and quickly detected when used in watering hole attacks on popular websites. Detection of their malware, however, means loss of profit for hackers.

“Therefore, it’s quite predictable that they start using more and more sophisticated techniques to prevent websites owners, administrators, and visitors to detect the fact of the breach and malware infection.

Related posts

Hard-Coded Credentials Vulnerability Found In Kubernetes Image Builder

Critical Vulnerability Patched In Jetpack WordPress Plugin

Astaroth Banking Malware Runs Actively Targets Users In Brazil