The PHP-based internet shell malware passes off as a favicon (“Magento.png”), with the malware inserted into compromised websites by tampering with the shortcut icon tags in HTML code to level to the pretend PNG picture file. This internet shell, in flip, is configured to retrieve the next-stage payload from an exterior host, a bank card skimmer that shares similarities with one other variant utilized in Cardbleed assaults final September, suggesting the menace actors modified their toolset following public disclosure.
Malwarebytes attributed the most recent marketing campaign to Magecart Group 12 primarily based on overlaps in ways, strategies, and procedures employed, including “the latest area identify we discovered (zolo[.]pw) occurs to be hosted on the identical IP tackle (217.12.204[.]185) as recaptcha-in[.]pw and google-statik[.]pw, domains beforehand related to Magecart Group 12.”
Working with the first intention of capturing and exfiltrating cost knowledge, Magecart actors have embraced a wide range of attack vectors over the previous a number of months to remain beneath the radar, keep away from detection, and plunder knowledge. From hiding card stealer code inside image metadata and finishing up IDN homograph attacks to plant internet skimmers hid inside a web site’s favicon file to utilizing Google Analytics and Telegram as an exfiltration channel, the cybercrime syndicate has intensified in its efforts to compromise on-line shops.