A list of dozens of online stores hacked by a web skimming group was accidentally leaked through the Remote Access Trojan Installer (RAT).
Attackers install RATs on e-commerce sites to maintain persistence and re-access compromised resources and servers. After gaining access to the online store, they deploy skimming scripts to steal personal and bank data (attacks known as Magecart).
According to experts from the information security company Sansec, the malware is delivered as a 64-bit ELF executable file using an installer written in PHP. To bypass detection and analysis, the RAT masquerades as a DNS or SSH server daemon, so it is not highlighted in the server process list. For most of the day, the malware is in sleep mode, “waking up” only once – at 7 am in order to connect to its C&C server to receive commands.
Despite the complexity of the malware, the cybercriminals still made one mistake – they included the list of hacked online stores in the downloader code. Researchers hacked the downloader and found a list of 41 compromised sites.
Since the loader code uses shared memory blocks that are not typical for PHP (but more typical for C), it can be assumed that its author has little experience with PHP. This inexperience of the developer may explain the inclusion of the list of hacked sites in the loader code.
The researchers contacted the online store owners from the list and informed them of the problem.