14 DAY TRIAL // Security experts have discovered a new malware strain targeting online shops running on Magento, one of the most popular e-commerce platforms. What sets this malware apart is the fact that it can self-heal by using code hidden in the website's database.
According to researchers, this isn't the first web malware that hides code in the website's database, but it is the first written in SQL, as a stored procedure.
So, how does this work? Well, whenever a user places a new order, the malware starts execution. Then, the malicious database trigger executes before the Magento platform even puts together the PHP and assembles the page, reads a blog post signed by Willem de Groot, the researcher who analyzed the malware discovered by Jaroen Boersma.
The query, he says, checks for the existence of the malware in the header, footer, copyright, and every CMS block. If it doesn't find anything, it re-adds itself.
"The discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis," de Groot writes.
The malware affecting stores using the Magento platform can steal user card information, which puts quite a lot of people at risk. The SQL part of the code, however, makes sure that the malware survives as long as possible on the platforms.
New, but not unique
Web security firm High-Tech Bridge CEO Ilia Kolochenko told Softpedia that excluding highly-sophisticated targeted attacks, almost every modern malware can be pretty easy and quickly detected when used in watering hole attacks on popular websites. Detection of their malware, however, means loss of profit for hackers.
"Therefore, it's quite predictable that they start using more and more sophisticated techniques to prevent websites owners, administrators, and visitors to detect the fact of the breach and malware infection. We saw similar techniques in 2015, which we called drive-by-login attacks, when an exploit pack was delivered to website visitors alongside with server response, once a precise user had successfully logged-in to the system," Kolochencko told us.
Dutch researcher Willem de Groot has updated the Magereport and the Malware Scanner with this new class of malware to help out show owners who want to do a sweep.
We have reached out to Magento and will update when we hear back.