Thousands of Magento websites compromised to serve malware

Security experts have discovered that thousands of websites running the eBay’s Magento e-commerce platform have been compromised and used to deliver malware.

Security experts at Sucuri have discovered a malware campaign that targeted a large number of websites the eBay Magento e-commerce platform. The same campaign was also monitored by the researchers at Malwarebytes which focused their analysis on the client side.

According to the security experts, the attackers compromised websites running Magento and injected malicious scripts that were used to create iframes from the “guruincsite.com” domain.

The threat actors compromised Magento installations by exploiting a zero-day directory traversal flaw in the third-party mass importer tool Magmi.

The guruincsite domain is known to security firms, according to the Google Safe Browsing the domain has been used to infect more than 8,000 domains. The domain was also used to host a Neutrino exploit kit used to serve a malware.

“The name ‘guruincsite‘ was also familiar to us because it happened to be part of the redirection infrastructure in our ‘neitrino‘ campaign. It turned out that this was the same attack Sucuri was seeing on the server side as what we were seeing on the client side via web exploits.” states the blog post published by Malwarebytes.

The specific campaign uncovered by the experts relies on the Neutrino Exploit Kit to deliver the Andromeda/Gamarue malware triggering a Flash Player vulnerability.

Denis Sinegubko from Sucuri explained that Magento website administrators can discover the infection by checking the design/footer/absolute_footer entry in the core_config_data table.

“The malware is usually injected in the design/footer/absolute_footer entry of the core_config_datatable, but we suggest scanning the whole database for code like “function LCWEHH(XHFER1){XHFER1=XHFER1” or the “guruincsite” domain name.” states the blog post from Sucuri.

Magento e-commerce platform is a privileged target for cybercriminals, in April experts at Sucuri reported another malicious campaign that was exploiting a flaw within 24 hours after its disclosure.

In June, the researchers from Sucuri discovered a malicious code used by criminals to syphon payment card data from websites based on the Magento e-commerce Platform.

Pierluigi Paganini

(Security Affairs –  Magento, cybercrime)