Rewterz Threat Alert – Water Pamola Attack Campaign Targeting eCommerce Merchants

Severity

High

Analysis Summary

At the end of 2021, Japanese eCommerce merchants were victim to a digital skimming campaign through a popular open-source eCommerce solution. Based on TTPs (Tactics, Techniques, and Procedures) and other commonalities, it is likely that the threat actors targeting the Japanese eCommerce merchants – as detailed by JPCERT – are also behind the activity identified by Visa PFD (Payment Fraud Disruption) mentioned below. 

Overview of the Campaign

In the summer of 2021, Japanese eCommerce retail and wholesale merchants were targetted by threat actors using an exploit in the unpatched and outdated version of an eCommerce platform being used by them. The XSS (cross-site scripting) vulnerability in the platform, along with a malicious JavaScript URL, enabled the threat actors to compromise the platform to place orders. 

Once the infected URL and malicious payloads were executed by an employee at the merchants’, it enabled the actors to deploy further malicious payloads (including PHP file uploader scripts, database management tools, JavaScript files, and webshells). The checkout page of the compromised platform was targeted using the JavaScript files through the malicious code. This enabled the actors to harvest payment details, including PAN, cardholder name, expiration date, and CVV2, during the checkout process. The database management tool deployed by the threat actors also enabled them to access the CDE (Cardholder Data Environment). 

Impact

• Data Theft
• Credential Loss
• Session Hijacking
• Financial Loss

Affected Vendors

• eCommerce Platforms

Indicators of Compromise

Filename

• aashiawaseyukkurishitene[.]php / confirm_side_img[.]php / jquery[.]ui[.]theme[.]css[.]php
• jquery[.]js[.]php
• css_coluns[.]php
• footer_c[.]png[.]php
• head[.]css[.]php
• omedetougozai[.]php
• slick[.]min[.]js

MD5

• 6b6d77764d049c40623f04264fe4d2af
• 6de6ad1a82854080cb4b58f870521bed
• 5738bb003ec71eacee6ffd6b9b30b1e3
• c08b9c87719f212ac36e8b3752d3e8d4
• a6af5c9c6896c82655c793261c81b72f
• 031aaceefbf81e7442289d157c144d60
• 9c860dee0ab82ab438f77c7cceefe42c
• 35bcf859e286ac157fcbc124df22445c
• bf190d5f048db576115713f5c97a2f79

SHA-256

• 94342ffeec81289f3e9e25165ad98df9d8af98c82c5d2d4fffd89869035b163c
• 30ac05df918603b444d67f868d580bc9f57900d09135c50f700e868a3a22b42c
• 1e1813745f670c469a1c368c45d159ec55656f0a31ed966065a9ca6edd27acc1
• 526d8c7235eaeb58ffba398a99a4ab0c92d01a9d1a7585efc3fc053b6e230a7c
• a619f1ff0c6a5c8fc26871b9c0492ca331a9f84c66fa7479d0069b7e3b22ba31
• b0127c4986bce415f319c59c766e7fbd447bb04d914d2ae41bb378d5075919fe
• d91c0e58b8647ca4bbb5bf2e7360353fb2733d683ea817ceb2e32808585bdc6f
• f5b0a763f9b1e79179db5f44fa3436dd35805fbed49ffb003d72322f9ed454a9
• 3af5d1b3b54cf755e8404bf6bc25438092365c5c23810c75b1ad4ae9de9aef62

SHA-1

• d71aa7ee65482a1519ca7bf3358343c27c5e1a18
• 08afac54c1cde56acba604587de2a689b3f94baf
• 9b964d574197f3943db0cf87d56c88c1ec1f86e0
• 40d980c3a9e43cab1fa181004143a2dbc73d2bda
• 469350dcd3f36ff934be850525d1042163255581
• ee94ec05a4464755a3ea2017ed138c8f8f4b2a9c
• bc11034dc9b254b7cb8fb5021ad30d690d254d4a
• 18eb80befb2db6d79301d10b5d219a055052f706
• 952887a7ae79ba6a65ece870544f094c7a33745f

Remediation

• Patch – Patch and upgrade any platforms and software timely.
• WAF -Set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are
• not publicly accessible.
• Passwords – Implement strong passwords. Enable two-factor authentication.
• Logging – Log your eCommerce environment’s network activity and web server activity.