Home > Cyber News > Self-Healing Malware Discovered, Magento Websites Attacked

Self-Healing Malware Discovered, Magento Websites Attacked

Magento has been targeted once again by new malware that is capable of self-healing. This process is possible thanks to hidden code in the targeted website’s database. The researcher who came across the new malware pattern is Jeroen Boersma. However, Willem de Groot is the one who analyzed it.

This malware strain is not the first to place hidden code in a website’s database but is indeed the first one written in SQL as a stored procedure, as explained by researchers.

As a matter of fact, the average Javascript-based malware is typically injected in the static header or footer HTML definitions in the website’s database. Cleaning these records used to be enough to get rid of this type of malware. Unfortunately, this procedure won’t do the job with the newly discovered threat. Shortly said, the new malware can restore itself once it has been deleted.

How is an attack carried out?

The trigger is executed every time a new order is made. The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself.

This discovery shows that a new phase of malware evolution has begun. Unfortunately, simply scanning files is not enough anymore, as malware detection methods should include database analysis, researchers add.

Magento platforms are often targeted by malware. The new instance is typically capable of harvesting user card information, but is also capable of preserving itself for unspecified period of time.

Willem de Groot (the researcher who analyzed the malware) has updated the malware scanner which contains a collection of rules and samples to detect Magento malware. Website owners can now do a sweep to make sure everything is alright with their platforms.

Last year Magento websites were targeted by ransomware known as KimcilWare. The threat encrypted webserver files and added its index file on victimized servers. The extension .kimcilware could be seen all over the Index page.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree