The PHP-based net shell malware passes off as a favicon (“Magento.png”), with the malware inserted into compromised websites by tampering with the shortcut icon tags in HTML code to level to the faux PNG picture file. This net shell, in flip, is configured to retrieve the next-stage payload from an exterior host, a bank card skimmer that shares similarities with one other variant utilized in Cardbleed assaults final September, suggesting the risk actors modified their toolset following public disclosure.
Malwarebytes attributed the most recent marketing campaign to Magecart Group 12 based mostly on overlaps in techniques, strategies, and procedures employed, including “the latest area identify we discovered (zolo[.]pw) occurs to be hosted on the identical IP deal with (217.12.204[.]185) as recaptcha-in[.]pw and google-statik[.]pw, domains beforehand related to Magecart Group 12.”
Working with the first intention of capturing and exfiltrating cost knowledge, Magecart actors have embraced a wide range of attack vectors over the previous a number of months to remain underneath the radar, keep away from detection, and plunder knowledge. From hiding card stealer code inside image metadata and finishing up IDN homograph attacks to plant net skimmers hid inside a web site’s favicon file to utilizing Google Analytics and Telegram as an exfiltration channel, the cybercrime syndicate has intensified in its efforts to compromise on-line shops.