Collaborate Disseminate
During a routine investigation, we found yet another web skimmer that pretends to be related to Sucuri.
One of our Remediation Analysts, Liam Smith, found the following code injected into the database of a Magento site.
The first 109 lines of the malw… Continue reading Another Credit Card Stealer That Pretends to Be Sucuri
During malware analysis, we regularly find variations of this injected script on various compromised websites: .
The variable “_0x446d” assigns hex encoded strings in different positions in the array. If we get the ASCII representation of the variable… Continue reading Legacy Mauthtoken Malware Continues to Redirect Mobile Users
PHP hack tools are created and used by attackers to help automate frequent or tedious tasks. During a recent investigation, we came across a hack tool used to simplify the process of sending predefined HTML emails to a list of email addresses.
The too… Continue reading GFX Xsender Hack Tool: A Spam Mailer
Malicious pop-ups and redirects have become two extremely common techniques used by attackers to drive traffic wherever they want.
During a recent investigation, we came across an obfuscated pop-up script leveraging baidu[.]com search results to redi… Continue reading Malicious Pop-up Redirects Baidu Traffic
In an attempt to avoid detection, attackers and malware authors are always experimenting with different methods to obfuscate their malicious code.
During a recent investigation, we came across an interesting backdoor that was leveraging encoding along… Continue reading Backdoor Obfuscation: tempnam & URL Encoding
Our team recently came across a malicious script used on a Magento website titled gstaticapi, which targeted checkout processes to capture and exfiltrate stolen information.
To obtain sensitive details, the malware loads external javascript whenever t… Continue reading Magento Credit Card Stealing Malware: gstaticapi
Short scripts that deliver malware to a website are nothing new, but during a recent investigation we found a script using hastebin[.]com, which is a domain we see used infrequently. The script was found writing malicious contents into an image direct… Continue reading Malicious One-Liner Using Hastebin
Initially released December 2015, PHP 7 introduced a multitude of performance and security improvements. Approximately 43.7% of websites across the web currently use PHP 7.x, making it an incredibly popular scripting language — which is likely why att… Continue reading Using assert() to Execute Malware in PHP 7 Environments
A recent SiteCheck scan of an organization’s website showed an interesting pharmacy spam injection targeting COVID-19-related pages of websites. The HTML that was flagged by our SiteCheck signature, spam-seo.hidden_content?100.2, shows why the pharmac… Continue reading COVID-19 Chloroquine Pharmaspam
During a website remediation, we recently discovered a new version of a Magento credit card stealer which sends all compromised data to the malicious domain cdn-filestore[dot]com. My colleague Luke Leal originally wrote about this malware in a blog po… Continue reading CDN-Filestore Credit Card Stealer for Magento