Stealthy Magecart Attack Accidentally Leaks the List of Infected Stores

Recently, Sansec has found a clever remote access trojan (RAT), that has been sneaking in the lanes of hacked eCommerce servers. According to the experts, the hackers use this RAT for managing tenacity and for recovering all access to the servers of the online shops that were hacked.

This RAT is a 64-bit ELF viable, which coats in user server and later process table with benign-sounding names like dnsadmin or sshd [net]. Moreover, the threat actors have processed many ways to block the experts, the RAT naps continuously.

It wakes when most sysadmins haven’t commenced their workday; well, At 7 am, it sends request guidance from its ill-disposed master (C2) at https://www.hostreselling.com/dashboard/. Not only this it also uses the e4220b186227631edb41c3c942b6b6c9ace1f7eec2674ae634aa63bceca20b4e password to verify the mission.

The former victims were revealed by RAT dropper

Somehow the Sansec accomplished intercepting the dropper code of RAT, as it contains an extensive list for all…

Exit mobile version