Sansec logo

Warning: fake Magento patch 9789 contains virus

Sansec

by Sansec Forensics Team

Published in Threat Research − April 21, 2017

Warning: fake Magento patch 9789 contains virus

virus mail

Update May 21st: a similar phishing mail circulates about a fake patch SUPEE-1798.

Update Apr 22nd: added reference to Neutrino Bot and POS systems

This week a mail was sent out to announce the new Magento patch SUPEE-9789. It is fake and it contains malware. There is no patch 9789. The message (full headers below) mimics an official Magento accouncement. It has two malicious payloads:

  1. An attached Word document with macro, identified as virus
  2. A request to run demo.magestore.com/webpos3/media/webpos.exe, which was identified as a new variety of the notorious Neutrino Bot (VirusTotal.

This specific malware is known to target POS systems, a.k.a. cash registers. Among other things, it will harvest payment data and passwords, and enslave the cash register into a botnet that can be used for DDoS attacks.

Curiously, the malware is hosted on a server of MageStore, a legitimate vendor of POS systems. It appears that MageStore runs a vulnerable version of ProFTPd which allows anyone to upload files to their server. Unfortunately, MageStore couldn't be reached, and the malware is still on their server as of April 22nd.

Please get in touch if you have received this message as we are trying to establish the scope of intended targets. So far, we have received reports from extension vendors and hosting providers.

Thanks to Andrew Howden for additional research.

Full headers:

Return-path: <[email protected]>
Envelope-to: REDACTED
Received: from mail.hal-pc.org ([66.187.70.28])
	by REDACTED with esmtp (Exim 4.84_2)
	(envelope-from <[email protected]>)
	id 1d1OyU-0001Zw-Go
	for REDACTED; Fri, 21 Apr 2017 05:11:12 +0200
Received: from mail.hal-pc.org (localhost [127.0.0.1])
	by mail.hal-pc.org (Postfix) with ESMTP id 66AD33E8AA7E
	for <REDACTED>; Thu, 20 Apr 2017 22:11:09 -0500 (CDT)
Received: from 144.217.200.38 (unknown [5.189.203.59])
	(Authenticated sender: [email protected])
	by mail.hal-pc.org (Postfix) with ESMTPA id BA8DF3E8AA7D
	for <REDACTED>; Thu, 20 Apr 2017 22:11:03 -0500 (CDT)
Message-ID: <[email protected]>
From: "[email protected]" <[email protected]>
To: REDACTED
Subject: Critical updates for Magento 1.x and Magento 2.x versions - SUPEE-9789
Date: Thu, 20 Apr 2017 20:11:01 -0700
Organization: Magento.com
MIME-Version: 1.0

Read more

Scan your store now
for malware & vulnerabilities

$ curl ecomscan.com | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Terms & Conditions
|
Privacy & Cookie Policy
Company Reg 77165187
|
Tax NL860920306B01