A new data stealing malware has been detected just in time for Christmas and all the related online shopping. It seems that the trend of data stealers directly compromising servers is continuing.
CronRAT is another such server-side malware, which was reported at the end of November. CronRAT hides in the Linux calendar system on a particular, non-existent date, February 31st, whereas this new stealer is targeting Nginx servers. Apparently, e-commerce platforms in the United States, Germany and France (all highly profitable targets) have been under attack.
New Server-Side Magecart Detected in the Wild: NginRAT
The malware has been dubbed NginRAT. According to Sansec’s report, “this novel code injects itself into a host Nginx application and is nearly invisible.” Of course, the purpose is harvesting data from e-commerce servers, a type of attack known as server-side Magecart.
How does NginRAT operate? First, it takes over a host Nginx application and modifies some of its core functionalities to conceal its presence. When the legitimate Nginx server utilizes such functionality, the malware injects itself in the form of a remote access trojan embedded in the Nginx process. It should be noted that there are numerous such processes on a typical e-commerce server. What makes things worse is that the malicious one looks exactly like the others.
So, how can the NginRAT be detected?
“Because NginRAT embeds itself into a legitimate Nginx host process, the standard /proc/PID/exe will point to Nginx, not to the malware. Also, the library code is never written to disk and cannot be examined after its launch. However, the use of LD_L1BRARY_PATH (with typo) may reveal the presence of this particular NginRAT version,” Sansec said.
This is the second such server-side Magecart malware disclosed by security researchers in the last couple of weeks. Considering that it’s the season of gifts, we should definitely be expecting the emergence of more evolved data stealers and skimmers.