The PHP-based web shell malware passes off as a favicon (“Magento.png”), with the malware inserted into compromised sites by tampering with the shortcut icon tags in HTML code to point to the fake PNG image file. This web shell, in turn, is configured to retrieve the next-stage payload from an external host, a credit card skimmer.
The latest campaign has been attributed to Magecart Group 12 based on overlaps in tactics, techniques, and procedures employed. Malwarebytes added that the newest domain name they found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as recaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.
Over the past several months, Magecart actors have used several attacking techniques to avoid being detected and exfiltrate data.