So, if you have already cleaned up your hacked Magento website, there are chances your website is still leaking login credentials and credit card details of your customers to hackers.
More than 250,000 online stores use open-source Magento e-commerce platform, which makes them an enticing target for hackers, and therefore the security of both your data and your customer data is of the utmost importance.
According to the researchers at Sucuri, who have previously spotted several Magento malware campaigns in the wild, cybercriminals are currently using a simple yet effective method to ensure that their malicious code is added back to a hacked website after it has been removed.
To achieve this, criminals are hiding their 'credit card stealer reinfector' code inside the default configuration file (config.php) of Magento website, which gets included on the main index.php and loads with every page view, eventually re-injecting the stealer code into multiple files of the website.
Since config.php file gets automatically configured while installing Magento CMS, usually it is not recommended for administrators or website owners to change the content of this file directly.
Here's How Magento's Reinfector Code Works
Hackers have added 54 extra lines of code in the default configuration file. Here below, I have explained the malicious reinfector code line-by-line, shown in the screenshots, written inside the default config.php file.
At line no. 27, attackers set error_reporting() function to false in an attempt to hide errors messages that could reveal the path of the malicious module to site admins.
From line no. 31 to 44, there's a function called patch() that has been programmed to append the malicious code for stealing confidential information into legitimate Magento files.
This patch() function uses 4 arguments, values of which defines the path of a folder, name of a specific file resides in that path needs to be infected, file size required to check if it is necessary to reinfect the given file, a new file name to be created, and a remote URL from where the malicious code will be downloaded in real-time and injected into the targeted file.
From line 50 to 51, attackers have smartly split up the base64_decode() function in multiple parts in order to evade detection from security scanners.
The line 52 includes a base64 encoded value that converts to "https://pastebin.com/raw/" after getting decoded using the function defined in line 50-51.
The next four sets of variables from line 54 to 76 define the four values required to pass arguments to the patch() function mentioned above.
The last line of each set includes a random eight character value that concatenated with the link variable encoded in line 52, which eventually generates the final URL from where the patch() function will download the malicious code hosted on remote Pastebin website.
From line 78 to 81, attacker finally executes patch() function four times with different values defined in line 54-76 to reinfect website with the credit card stealer.
"As a rule of thumb, on every Magento installation where a compromise is suspected to have taken place, the /includes/config.php should be verified quickly," researchers advise.It should be noted that similar technique can also be used against websites based on other content management system platforms such as Joomla and WordPress to hide malicious code.
Since attackers mostly exploit known vulnerabilities to compromise websites at the very first place, users are always recommended to keep their website software and servers updated with the latest security patches.