Warning: fake Magento patch 9789 contains virus
by Sansec Forensics Team
Published in Threat Research − April 21, 2017
Update May 21st: a similar phishing mail circulates about a fake patch SUPEE-1798.
Update Apr 22nd: added reference to Neutrino Bot and POS systems
This week a mail was sent out to announce the new Magento patch SUPEE-9789. It is fake and it contains malware. There is no patch 9789. The message (full headers below) mimics an official Magento accouncement. It has two malicious payloads:
- An attached Word document with macro, identified as virus
- A request to run
demo.magestore.com/webpos3/media/webpos.exe, which was identified as a new variety of the notorious Neutrino Bot (VirusTotal.
Fake #Magento patch contains malware:
— Bart (@bartblaze) April 21, 2017
Neutrino Bot aka #Kasidet, blog by @gwillem:https://t.co/o32MSYlLPx
IOCs: https://t.co/UyxSJJPEgz
This specific malware is known to target POS systems, a.k.a. cash registers. Among other things, it will harvest payment data and passwords, and enslave the cash register into a botnet that can be used for DDoS attacks.
Curiously, the malware is hosted on a server of MageStore, a legitimate vendor of POS systems. It appears that MageStore runs a vulnerable version of ProFTPd which allows anyone to upload files to their server. Unfortunately, MageStore couldn't be reached, and the malware is still on their server as of April 22nd.
Please get in touch if you have received this message as we are trying to establish the scope of intended targets. So far, we have received reports from extension vendors and hosting providers.
Thanks to Andrew Howden for additional research.
Full headers:
Return-path: <[email protected]>
Envelope-to: REDACTED
Received: from mail.hal-pc.org ([66.187.70.28])
by REDACTED with esmtp (Exim 4.84_2)
(envelope-from <[email protected]>)
id 1d1OyU-0001Zw-Go
for REDACTED; Fri, 21 Apr 2017 05:11:12 +0200
Received: from mail.hal-pc.org (localhost [127.0.0.1])
by mail.hal-pc.org (Postfix) with ESMTP id 66AD33E8AA7E
for <REDACTED>; Thu, 20 Apr 2017 22:11:09 -0500 (CDT)
Received: from 144.217.200.38 (unknown [5.189.203.59])
(Authenticated sender: [email protected])
by mail.hal-pc.org (Postfix) with ESMTPA id BA8DF3E8AA7D
for <REDACTED>; Thu, 20 Apr 2017 22:11:03 -0500 (CDT)
Message-ID: <[email protected]>
From: "[email protected]" <[email protected]>
To: REDACTED
Subject: Critical updates for Magento 1.x and Magento 2.x versions - SUPEE-9789
Date: Thu, 20 Apr 2017 20:11:01 -0700
Organization: Magento.com
MIME-Version: 1.0
Read more
What is Magecart?
Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?
About MagecartScan your store now
for malware & vulnerabilities
eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.
Learn more
