WordPress malware finds WooCommerce sites for Magecart attacks

May 16, 2020

WordPress malware finds WooCommerce sites for Magecart attacks

Image: Erik Mclean

Researchers at website security firm Sucuri have discovered a new WordPress malware used by threat actors to scan for and identify WooCommerce online shops with a lot of customers to be targeted in future Magecart attacks.

WooCommerce is an open-source WordPress plugin with over 5 million active installs and designed to make it easy to run e-commerce sites that can be used to "sell anything, anywhere."

Attacking WooCommerce online stores is not something new as shown by previous attacks that were attempting to hack into online stores by brute-forcing admin passwords with the end goal of harvesting credit cards (also known as Magecart attacks), as detailed by Sanguine Security's Willem de Groot two years ago.

Buggy plugins used to hack e-shops

To hack into WooCommerce-based webshops and drop this new malware, the hackers are taking advantage of security vulnerabilities found in other WordPress plugins.

By exploiting these flaws, they will be able to get access to the e-store's internal structure, discover if the site is using the WooCommerce platform, and subsequently collect and exfiltrate info about the WooCommerce installation to attacker-controlled servers.

"It’s important to note that by default, the WooCommerce plugin does not store payment card data — attackers can’t simply steal sensitive payment details from the WordPress database," Sucuri malware researcher Luke Leal explains.

The malware is installed in the form of a malicious PHP script as part of the post-exploit stage that follows the successful compromise of a vulnerable WordPress site.

Extracting database credentials
Extracting database credentials (Sucuri)

This script is used for scanning for other WordPress targets, to connect to their databases, and query them for WooCommerce information.

It also extracts MySQL database credentials that will allow it to access the compromised store's WordPress database and run SQL queries designed to collect WooCommerce-specific information including the store's total number of orders and payments.

Magecart reconnaissance

While Sucuri did not detail what this information can be used for, the malware operators can use the stolen order and payment information to decide if it's worth deploying skimmers specifically designed to target WooCommerce e-shops.

This would allow them to focus their 'efforts' on online stores that receive a lot of traffic and orders and avoid wasting their time on e-commerce stores that are either inactive or don't have a lot of customers.

One such Magecart campaign targeting only WooCommerce stores was observed by Sucuri one month ago, with the credit card thieves being observed while injecting a dedicated JavaScript-based card-skimmer that harvested credit card numbers and card security codes (CVVs).

Deploying backdoors
Deploying backdoors (Sucuri)

The WordPress malware will also deploy three backdoors on infected websites, something that can be very useful if the attackers ever decide to come back an deploy a web skimmer.

"This malware is a great example of attackers leveraging unauthorized access to determine new, potential targets within compromised hosting environments," Leal concluded.

"It also demonstrates how cross-site contamination can occur creating multiple backdoors in directories outside of the current infected website directory."

Read the original article and additional information at Cyware Social