Magecart hackers use PHP backdoor in website favicons

Malicious PHP web shells disguised as favicons are being distributed by magecart hackers  in order to retain remote access to compromised servers and insert JavaScript skimmers into online shopping sites in order to steal financial information from users.


According to Malwarebytes‘ Jérôme Segura, these web shells, known as Smilodon or Megalodon, are used to dynamically load JavaScript skimming code into online stores through server-side requests.


Magecart hackers targets online shopping sites, uses a tactic called web skimming to steal credit card information from e-commerce websites.


Skimmers, also known as formjacking attacks, are JavaScript code that the operators secretly inject into an e-commerce website, usually on payment pages, with the aim of collecting customers’ card information in real time and transmitting them to a remote server.


Most client-side security tools would be unable to detect or block the skimmer, so this technique is intriguing.


When a customer visits an online store, injecting skimmers make a client-side request to an external JavaScript resource hosted on an attacker-controlled domain.


The new attack, however, is a little different in that the skimmer code is dynamically added to the merchant site at the server level.


The PHP-based web shell malware disguises as a favicon (“Magento.png”), and it infects websites by tampering with shortcut icon tags in HTML code to point to a fake PNG image file.


Source: Malwarebytes


The next-stage payload is retrieved from an external server, a credit card skimmer, via this web shell.


Based on similarities in strategies, methods, and procedures, the new initiative has been attributed to Magecart Group 12.


Also read: Colonial Pipeline ransomware attack: Paid $5 million ransom


Malwarebytes also pointed out that the newest domain name they discovered (zolo[.]pw) is hosted on the same IP address (217.12.204[.]185 as recaptcha-in[.]pw and google-statik[.]pw, both of which were previously linked to Magecart Group 12.


Magecart hackers have used a variety of attack tactics to avoid detection and exfiltrate data over the last few months.


You might also like: Health Service Executive IT system shut down suffers a major ransomware attack