Sansec logo

Visbot malware found on 6691 stores [analysis]

Sansec

by Sansec Forensics Team

Published in Threat Research − December 01, 2016

Visbot malware found on 6691 stores [analysis]

visbot

Visbot is one of the oldest Magecart payment skimmers: it steals customer data and credit cards. The first case was documented as early as March 2015. But being publicly discussed did not stop it from spreading. We conducted a global research into 300.000 Magento stores and found active Visbot infections on 6691 stores.

How is that possible? Contrary to other skimming malware, Visbot inject itself in code running on the server. This makes it harder to detect from the outside, as the malware operates completely invisible for anyone but the store owner. And many store owners are not equiped to detect these kind of compromises.

How Visbot works

For devs, here's a beautified copy

Visbot injects itself into existing PHP code. It stays dormant until data is entered by store visitors (an order or a password). Submitted data is then encrypted and saved to a fake image file. This "image" is then later retrieved by the perpetrator and sold on the black market.

  • Stores usually have a thousands of images, so fetching an odd one is not suspicious.
  • Encryption ensures competing thieves cannot hijack the payload.

And how did Sansec establish the presence of Visbot on all these stores? If it is so well hidden? The Visbot author made a crucial mistake: s/he added a feature to remotely detect whether the malware is still active. If you send a specific code (a "password") to an infected store, it will display:

Pong

This can be simulated with this command:

curl -LH 'User-Agent: Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;[email protected])' \
    http://your-site.com

Recent activity

In the last week, we observed Visbot controller activity from servers in Sweden (62.102.148.187), Ukraine (95.211.197.194) and Germany (81.169.144.135).

Private data is stored in somewhat random image files. So far we observed these filenames being used:

bkg_btn-close2_bg.gif
btn_back_bg_bg.gif
btn_cancel_bg_bg.gif
left_button_back.gif
mage.jpg
nav1_off_bg.gif
notice-msg_bg.png
section_menu_link_bg_bg.gif
sort-arrow-down_bg.png

The public key used to encrypt the stole data is included in the malware, but the private key is not. Until it surfaces, it is not possible to decrypt the contents.

Solution

We have shared the list of compromised stores with the authorities and major providers, so they can reach out to owners and agencies in order to resolve the situation.

We strongly recommend merchants to implement server-side malware & vulnerability scanning, so they can detect and prevent these attacks.

People reporting Visbot cases:

Read more

Scan your store now
for malware & vulnerabilities

$ curl ecomscan.com | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Terms & Conditions
|
Privacy & Cookie Policy
Company Reg 77165187
|
Tax NL860920306B01