Stealthy Magecart Attack Accidentally Leaks the List of Infected Stores

Recently, Sansec has found a clever remote access trojan (RAT), that has been sneaking in the lanes of hacked eCommerce servers. According to the experts, the hackers use this RAT for managing tenacity and for recovering all access to the servers of the online shops that were hacked.

This RAT is a 64-bit ELF viable, which coats in user server and later process table with benign-sounding names like dnsadmin or sshd [net]. Moreover, the threat actors have processed many ways to block the experts, the RAT naps continuously.

It wakes when most sysadmins haven’t commenced their workday; well, At 7 am, it sends request guidance from its ill-disposed master (C2) at Not only this it also uses the e4220b186227631edb41c3c942b6b6c9ace1f7eec2674ae634aa63bceca20b4e password to verify the mission.

The former victims were revealed by RAT dropper

Somehow the Sansec accomplished intercepting the dropper code of RAT, as it contains an extensive list for all the targeted victims. 

However, in a report, the experts have provided a full copy of the RAT dropper, and luckily the experts have mentioned the merchants so that they can alert regarding the breach of the system. 

Recommendations offered by security experts

Apart from this, the security experts of Sansec have recommended many steps to the users so that they can help out themselves from this unwanted data breach of the system, and here they are mentioned below:-

  • The experts have suggested all the merchants to hire a forensic expert for investigation and cleanup.
  • The experts have provided a full checklist for a better understatement of the users.
  • The flagship software eComscan will surely help the team with their investigation, and it will also assist in stopping all future incidents.

The security experts at Sansec have discovered multiple Magecart skimmers and malware samples during the last couple of months. This malware uses innovative resolution methods or to circumvent all kinds of detection.

Moreover, to avoid exposure and hinder analysis, the experts have unnamed RAT and asserted that it is outlined to camouflage itself as a DNS or an SSH server daemon so that it doesn’t survive in the server’s process list.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.


Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.

Recent Posts

SSNDOB Marketplace Admin Jailed for Selling millions of Americans Data

In a resounding triumph for justice, U.S. District Judge Kathryn Kimball Mizelle has sentenced Vitalii…

10 hours ago

Is Your Online Store Hacked in a Carding Attack? Here’s an Action Plan to Protect

Hackers are plotting to benefit from the generosity of Halloween, Thanksgiving, and Christmas shoppers using…

14 hours ago

Google Researchers Find Out How ChatGPT Queries Can Collect Personal Data

The LLMs (Large Language Models) are evolving rapidly with continuous advancements in their research and…

14 hours ago

New Android Malware Employs Various Tactics to Deceive Malware Analyst

In the dynamic realm of mobile application security, cybercriminals employ ever more sophisticated forms of…

16 hours ago

DJvu Ransomware Mimic as Cracked Software to Compromise Computers

A recent campaign has been observed to be delivering DJvu ransomware through a loader that…

17 hours ago

Okta Hack: Threat Actors Downloaded all Customer Support System Users’ Data

In a pivotal update to the Okta security incident divulged in October 2023, Okta Security…

18 hours ago