Smilodon Credit Card Skimming Malware Moves to WordPress

WordPress’ massive market share has come with an unsurprising side effect: as more and more site admins turn to popular plugins like WooCommerce to make a profit on their website and build online we saw a significant increase in the number of attacks targeting WordPress eCommerce sites. Moreover, bad actors reuse their old Magento credit card by stealing malware to use against WordPress.

In today’s article, we are going to look at one such malware that was initially used as a backdoor in Magento environments, but more recently repurposed to act as a credit card skimmer and webshell in websites running WordPress. and WooCommerce.

Origins

This malware was originally reported by one of our analysts in late 2020. The original sample is a heavily obfuscated remote code execution backdoor:

An obfuscated remote code execution backdoor originally found in Magento environments

This code served the purpose of all backdoors: to restore the malicious payload to the victim’s website – in this case, a credit card skimmer.

Prior to December 2021, every instance of this malware was found in compromised Magento e-commerce environments and injected (mostly) into theme files.

A graph showing the filename distribution of an RCE backdoor as of late 2020

Around November 2020 and July 2021, we saw two significant spikes in detections for this particular backdoor:

A graph showing known detections of an RCE backdoor, later turned into a credit card skimmer

It may not be a coincidence that these sharp increases in infections occurred shortly after the disclosure and publication of vulnerabilities for the Magento CMS platform during these same periods periods.

Due to the way Magento works, the credit card skimming code resides in other files that directly process payment information.

Switch to WordPress

When we examine newer instances of this malware, we see an entirely different picture:

A pie chart showing RCE backdoor / credit skimmer filenames detected since December 2021

As of December 2021, almost all instances of this malware have been found injected into bogus/malicious WordPress plugin files.

Here are two examples of common location patterns found in nature:

./wp-content/plugins/dos2unix/dos2unix.php
./wp-content/plugins/wpyii2/wpyii2.php

There are several crucial differences between malware in Magento and WordPress environments. The first concerns the false mandatory data of the WordPress plugin:

Fake plugin code of a WordPress credit card skimmer

This is to try to trick the user into believing that this code belongs to a legitimate plugin. The plugin, of course, does not exist and is wrongly attributed to the Yii PHP Framework.

When it comes to the actual malware, an important difference is this extra piece of encoded content:

An additional piece of code turning an RCE backdoor into a webshell and credit card skimmer

Let’s take a look inside and see what we find, shall we?

FilesMan Setup Thief Code

Here we see the code of the classic Shell FilesMan, a longtime favorite among strikers. What was initially an RCE backdoor has been upgraded to contain full webshell functionality, including configuration code stealing and database management functionality.

This webshell also contains brute force functionality for use in dictionary attacks. Since this malware is already present in a compromised environment, it is likely that this very feature-rich webshell will be used to try to spread further in the environment and possibly attack other websites.

Brute force functionality added to the RCE backdoor

Analysis of a WordPress skimmer

The most important difference of all for this malware is this extra block of code:

An encoded credit card skimmer found in WordPress environments

We can decode this quite easily using the inversion of the base64 and gzinflate coding:

Decoded credit card skimmer in WordPress environments

This extra piece of code turns the backdoor and remote execution shell into a fully functional credit card skimmer. All the usual information is exfiltrated: credit card numbers, expiration dates, security codes, billing addresses, names and other sensitive information.

Since this skimmer code is loaded into the WordPress plugins directory, the application will load the code as if it were a normal plugin. Furthermore, this skimmer runs on the PHP “backend”, which makes it invisible to client terminals that perform the transactions, and therefore undetectable by any antivirus program running on it.

The code contains references to at least three different malware domains:

javasources[.]net
google-statik[.]pw
predator[.]host

Target WooCommerce

Until fairly recently, MageCart threat actors have mainly focused their efforts on specially crafted e-commerce platforms such as Magento, OpenCart and PrestaShop. After all, why go to the trouble of compromising WordPress websites if most of them don’t even process payments or credit card data anyway?

With WooCommerce constituting approximately 40% e-commerce stores and becoming the most popular e-commerce software on the web, it was only a matter of time before attackers focused their efforts on this platform. We see evidence of this in this particular malicious plugin.

To filter only e-commerce websites, the attackers added the following line of code which performs a check to determine if WooCommerce is installed and present in the environment:

Malicious code verifying the presence of WooCommerce in infected environments

This is a direct link to WooCommerce. If WooCommerce is present then the webshell/skimmer will be injected. If the plugin doesn’t exist in the environment, it won’t return anything and attackers will just inject the shell instead, presumably to use it for other purposes.

Why let a compromised environment go to waste, after all?

MageCart Threat Actors

One name kept coming up when analyzing this code: SMILODON – commonly known as saber-toothed tigers.

Besides being a long-extinct prehistoric mammal, SMILODON is also used by some threat actors involved in MageCart’s Group 12 credit card skimming malware – and that’s not the first time that we have seen their work. In fact, this code is almost identical to a skimming attack on a WordPress site that we found last fall.

MalwareBytes security researchers have also writing on the actors of the SMILODON MageCart malware. They seem to have been behind several large-scale Magento hacking sprees in November 2020 and July 2021, as shown in our charts.

SMILODON credit card skimming malware found in WordPress environments

In conclusion

This is a great example of the trend of credit card theft infections to WordPress and why e-commerce site owners need to be more vigilant than ever to protect their websites and customer data.

The same attackers who targeted purpose-built e-commerce platforms such as Magento and OpenCart are now clearly focusing their efforts on WordPress environments running WooCommerce.

Website administrators should take note and take the necessary preventive measures to protect their websites against these attacks:

  • Keep your website up to date with all software and security updates
  • Enable automatic updates if you can
  • Protect your administration area against unauthorized access

If you need help securing your website, consider putting it behind our firewall. If you’ve ever been the victim of an attack and your customers report credit card theft, don’t worry! We can to help!

Comments are closed.