Stealthy Magecart Attack Accidentally Leaks the List of Infected Stores

Recently, Sansec has found a clever remote access trojan (RAT), that has been sneaking in the lanes of hacked eCommerce servers. According to the experts, the hackers use this RAT for managing tenacity and for recovering all access to the servers of the online shops that were hacked.

This RAT is a 64-bit ELF viable, which coats in user server and later process table with benign-sounding names like dnsadmin or sshd [net]. Moreover, the threat actors have processed many ways to block the experts, the RAT naps continuously.

It wakes when most sysadmins haven’t commenced their workday; well, At 7 am, it sends request guidance from its ill-disposed master (C2) at Not only this it also uses the e4220b186227631edb41c3c942b6b6c9ace1f7eec2674ae634aa63bceca20b4e password to verify the mission.

The former victims were revealed by RAT dropper

Somehow the Sansec accomplished intercepting the dropper code of RAT, as it contains an extensive list for all the targeted victims. 

However, in a report, the experts have provided a full copy of the RAT dropper, and luckily the experts have mentioned the merchants so that they can alert regarding the breach of the system. 

Recommendations offered by security experts

Apart from this, the security experts of Sansec have recommended many steps to the users so that they can help out themselves from this unwanted data breach of the system, and here they are mentioned below:-

  • The experts have suggested all the merchants to hire a forensic expert for investigation and cleanup.
  • The experts have provided a full checklist for a better understatement of the users.
  • The flagship software eComscan will surely help the team with their investigation, and it will also assist in stopping all future incidents.

The security experts at Sansec have discovered multiple Magecart skimmers and malware samples during the last couple of months. This malware uses innovative resolution methods or to circumvent all kinds of detection.

Moreover, to avoid exposure and hinder analysis, the experts have unnamed RAT and asserted that it is outlined to camouflage itself as a DNS or an SSH server daemon so that it doesn’t survive in the server’s process list.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Novel Chinese Browser Injector Lets Hackers Intercept Web Traffic

Hackers exploit browser injectors to manipulate web content, steal sensitive information, and hijack user sessions.…

10 hours ago

MediSecure Data Breach: 12.9 Million Australian Users’ Sensitive Data Hacked

In one of the largest cyber breaches in Australian history, MediSecure, a former provider of…

12 hours ago

Cybercriminals Heavily Preparing For 2024 Paris Olympic Games Based Attacks

Major sporting events with massive online audiences, like the World Cup and Olympics, have become…

12 hours ago

BadPack APK Malware Using Wired Trick to Attack Users & Stay Undetected

Hackers often exploit the APK packers to hide malicious codes within Android applications. This will…

13 hours ago

New VPN Port Shadow Vulnerability Let Hackers Intercept Encrypted Traffic

Researchers examined how connection tracking, a fundamental function in operating systems, can be exploited to…

13 hours ago

INTERPOL Taken Down West African Organized Crime Groups

Operation Jackal III has successfully targeted West African organized crime groups, including the notorious Black…

15 hours ago