New Golang Brute-Forcer Targeting E-Commerce Sites

A new malware has been spotted by security firm Malwarebytes, which is making rounds in the e-commerce space. The malicious code was found injected directly into the site’s homepage, referencing an external piece of JavaScript. This means that the shopping site had been compromised either via a vulnerability or by brute forcing the administrator password.

According to researchers, when users enter their address and payment details in compromised e-commerce website, those data were exfiltrated to a site called googletagmanager[.]eu, which is linked to Magecart. A part of Golang malware connects to these sites. Another binary written in Delphi complemented the communication.

The malware is found to be associated with many malicious domains. Once initiated, the Delphi binary collects system information and then beacons them to C2 servers, following which it downloads the malware payload. The malware installs itself to the system and proceeds to conduct brute-forcing. During the execution, it connects to a rogue IP address and informs that the affected computer is ready for other malicious tasks. Similarly, it infected sites managed by phpMyAdmin and cPanel.

“Brute force attacks can be quite slow given the number of possible password combinations. For this reason, criminals usually leverage content management systems(CMS) or plugin vulnerabilities instead, as they provide a much faster return on investment. Having said that, using a botnet to perform login attempts allows threat actors to distribute the load onto a large number of workers,” said Jerome Segura, the researcher behind the malware analysis.

Therefore, it is suggested that site owners relying on CMS such as Magento, keep their sites updated with the latest security patches.

There are many different weaknesses in this ecosystem that can be exploited. From the website owners not being diligent with security updates or their passwords, to end users running infected computers turned into bots and unknowingly helping to hack web portals. So, it is important to keep the web server software up-to-date and augment this protection by using a web application firewall to fend off new attacks. There are different methods to thwart brute force attacks, including the use of the .htaccess file to restrict which IP address is allowed to log in.

Skimmers are another real problem for online shoppers who are becoming more and more wary of entering their personal information into e-commerce websites as victims may not know where and when the theft happened. Also, it does not indicate well for online merchants when their platform has been compromised.