Magecart hackers hide PHP-based backdoor in Favicons


Cyber criminals are distributing malicious PHP web shells disguised as a favicon to maintain remote access to the compromised servers and inject JavaScript skimmers into online shopping platforms with the aim of stealing financial information from the users.

Malwarebytes Jérôme Segura stated that these web shells known as Smilodon or Megalodon are used to dynamically load JavaScript skimming code via server-side requests into online stores. This technique is interesting as most client-side security tools will not be able to detect or block the skimmer.

Magecart, the hacker groups that target online shopping sites use the technique of injecting web skimmers on e-commerce websites to steal credit card details. Also known as formjacking attacks, the skimmers take the form of JavaScript code that the operators secretly insert into an e-commerce website, often on payment pages, with the aim of capturing customers’ card details in real-time and transmitting them to a remote server.

Injecting skimmers work by making a client-side request to an external JavaScript resource hosted on an attacker-controlled domain when a customer visits the online store. However, the latest attack is a little different in that the skimmer code is introduced into the merchant site dynamically at the server-side.

The PHP-based web shell malware passes off as a favicon (“Magento.png”), with the malware inserted into compromised sites by tampering with the shortcut icon tags in HTML code to point to the fake PNG image file. This web shell, in turn, is configured to retrieve the next-stage payload from an external host, a credit card skimmer.

The latest campaign has been attributed to Magecart Group 12 based on overlaps in tactics, techniques, and procedures employed. Malwarebytes added that the newest domain name they found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as recaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.

Over the past several months, Magecart actors have used several attacking techniques to avoid being detected and exfiltrate data.


Please enter your comment!
Please enter your name here