Recently, Sansec has found a clever remote access trojan (RAT), that has been sneaking in the lanes of hacked eCommerce servers. According to the experts, the hackers use this RAT for managing tenacity and for recovering all access to the servers of the online shops that were hacked.
This RAT is a 64-bit ELF viable, which coats in user server and later process table with benign-sounding names like dnsadmin or sshd [net]. Moreover, the threat actors have processed many ways to block the experts, the RAT naps continuously.
It wakes when most sysadmins haven’t commenced their workday; well, At 7 am, it sends request guidance from its ill-disposed master (C2) at https://www.hostreselling.com/dashboard/. Not only this it also uses the e4220b186227631edb41c3c942b6b6c9ace1f7eec2674ae634aa63bceca20b4e password to verify the mission.
The former victims were revealed by RAT dropper
Somehow the Sansec accomplished intercepting the dropper code of RAT, as it contains an extensive list for all the targeted victims.
However, in a report, the experts have provided a full copy of the RAT dropper, and luckily the experts have mentioned the merchants so that they can alert regarding the breach of the system.
Recommendations offered by security experts
Apart from this, the security experts of Sansec have recommended many steps to the users so that they can help out themselves from this unwanted data breach of the system, and here they are mentioned below:-
- The experts have suggested all the merchants to hire a forensic expert for investigation and cleanup.
- The experts have provided a full checklist for a better understatement of the users.
- The flagship software eComscan will surely help the team with their investigation, and it will also assist in stopping all future incidents.
The security experts at Sansec have discovered multiple Magecart skimmers and malware samples during the last couple of months. This malware uses innovative resolution methods or to circumvent all kinds of detection.
Moreover, to avoid exposure and hinder analysis, the experts have unnamed RAT and asserted that it is outlined to camouflage itself as a DNS or an SSH server daemon so that it doesn’t survive in the server’s process list.