Magento has been targeted once again by new malware that is capable of self-healing. This process is possible thanks to hidden code in the targeted website’s database. The researcher who came across the new malware pattern is Jeroen Boersma. However, Willem de Groot is the one who analyzed it.
This malware strain is not the first to place hidden code in a website’s database but is indeed the first one written in SQL as a stored procedure, as explained by researchers.
As a matter of fact, the average Javascript-based malware is typically injected in the static header or footer HTML definitions in the website’s database. Cleaning these records used to be enough to get rid of this type of malware. Unfortunately, this procedure won’t do the job with the newly discovered threat. Shortly said, the new malware can restore itself once it has been deleted.
How is an attack carried out?
The trigger is executed every time a new order is made. The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself.
This discovery shows that a new phase of malware evolution has begun. Unfortunately, simply scanning files is not enough anymore, as malware detection methods should include database analysis, researchers add.
Magento platforms are often targeted by malware. The new instance is typically capable of harvesting user card information, but is also capable of preserving itself for unspecified period of time.
Willem de Groot (the researcher who analyzed the malware) has updated the malware scanner which contains a collection of rules and samples to detect Magento malware. Website owners can now do a sweep to make sure everything is alright with their platforms.
Last year Magento websites were targeted by ransomware known as KimcilWare. The threat encrypted webserver files and added its index file on victimized servers. The extension .kimcilware could be seen all over the Index page.