Rewterz Threat Advisory – CVE-2019-18834 – WooCommerce Subscriptions plugin for WordPress cross-site scripting
July 28, 2020Rewterz Threat Alert – Ensiko Webshell With Ransomware Capabilities
July 28, 2020Rewterz Threat Advisory – CVE-2019-18834 – WooCommerce Subscriptions plugin for WordPress cross-site scripting
July 28, 2020Rewterz Threat Alert – Ensiko Webshell With Ransomware Capabilities
July 28, 2020Severity
Medium
Analysis Summary
Researchers led to the discovery of malware files being hidden within .ICO and .PNG image files. The files, hosted on booby trapped Magneto repos on GitHub, contained the Magecart malware. The code was seen in a legitimate Google Tag Manager code PNG file. Using legitimate files to hide malware allows threat actors to maintain a less suspicious presence. Inside the Google Tag Manager code is JavaScript that extracts that final bytes of the image file in which it is implanted. Once deobfuscated, researchers found the Magecart skimmer code with modifications that will prevent prying eyes from seeing the exfiltration path immediately. A specific set of code is responsible for computing the URL of the gateway. The malware attempts to load PNG files from a GitHub repository, and at that repository, researchers found several folders and files which revealed more corrupted .png and .ico files. The exfiltration URL is found within the code contained in the image file and decrypted using the aforementioned JavaScript code.
Impact
- Data breach
- Exposure of sensitive data
- Information theft
- Account compromise
Indicators of Compromise
URL
- hxxps[:]//googletag-manager[.]com/gtag/GTM-P75S9/
Remediation
- Block all threat indicators at your respective controls.
- Search for IOCs in your environment.