The PHP-based web shell malware passes off as a favicon (“Magento.png”), with the malware inserted into compromised sites by tampering with the shortcut icon tags in HTML code to point to the fake PNG image file. This web shell, in turn, is configured to retrieve the next-stage payload from an external host, a credit card skimmer that shares similarities with another variant used in Cardbleed attacks last September, suggesting the threat actors modified their toolset following public disclosure.
Malwarebytes attributed the latest campaign to Magecart Group 12 based on overlaps in tactics, techniques, and procedures employed, adding “the newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as recaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.”
Operating with the primary intention of capturing and exfiltrating payment data, Magecart actors have embraced a wide range of attack vectors over the past several months to stay under the radar, avoid detection, and plunder data. From hiding card stealer code inside image metadata and carrying out IDN homograph attacks to plant web skimmers concealed within a website’s favicon file to using Google Analytics and Telegram as an exfiltration channel, the cybercrime syndicate has intensified in its efforts to compromise online stores.