A list of dozens of online stores hacked by a web skimming group was inadvertently leaked by a dropper used to deploy a stealthy remote access trojan (RAT) on compromised e-commerce sites.
The threat actors use this RAT for maintaining persistence and for regaining access to the servers of hacked online shops.
Once they connect to the stores, the attackers deploy credit card skimmer scripts that steal and exfiltrate customers' personal and financial data in digital skimming attacks (also known as Magecart).
Researchers at
Sansec, a security company focused on protecting e-commerce stores from web skimming attacks, said that the malware was delivered in the form of a 64-bit ELF executable with the help of a PHP-based malware dropper.
To evade detection and hinder analysis, the unnamed RAT is designed to camouflage itself as a DNS or an SSH server daemon so that it doesn't stand out in the server's process list.
The malware also runs in sleep mode almost throughout the day, only waking up once per day early in the morning, at 7 AM, to connect to its command-and-control server and ask for commands. [...]
