Introduction
Earlier this week, various blogs began reporting about compromisedMagento-based e-commerce websites. These compromised sites kicked off infection chains for Neutrino exploit kit (EK). Ive seen a few examples of this traffic leading to a Neutrino EK landing page, all dated last week.
Sucuris blog has information concerning the compromised Magento servers [1], while the Malwarebytes blog shows traffic from a compromised Magento site leading to Neutrino EK [2]. TheMalwarebytes blog illustrates the flow of traffic for these Neutrino EK infection chains. The examples Ive seen were similar, so lets review thetraffic.
Chain of events
The example I can share doesnt have a full infection chain, but it shows the same traffic patterns as the Malwarebytes blog entry." />
Shown above: Other traffic I found, from Friday 2015-10-16.
Last weeks chain of events appears to be:
- Bad actors behind this campaign compromise a Magento website.
- Pages from compromised sites have injected script pointingto a URL atguruincsite.com.
- The URL to guruincsite.com returns an iframe pointing to a second malicious domain.
- Second malicious URL returns HTML redirecting to a third URL ending with neitrino.php.
- Neitrino.php from the third malicious domain returns an iframe to a Neutrino EK landing page.
I" />
Shown above: Flow chart for last week" />
Shown above: Traffic I found on Friday 2015-10-16, this time with IP addresses.
Upon closer examination, last weeks traffic followed specific URL patterns. " />
Shown above: HTTP GET request to guruincsite.com.
The HTTP GET request to the second URL ending with /app/?d22H returned HTML redirecting to another URL ending with neitrino.php (whichI assume has a mistakenly spelledneutrino" />
Shown above: " />
Shown above: HTTP GET request to the third URL.
Final words
I cant provide any pcaps related to the recent wave of Magento site compromises, although I did find some Neutrino EK from a different actor on Wednesday 2015-10-21 [3].
The compromised websites thatMagento has investigated were not up-to-date. They all neededa patch that was published earlier this year [4]. I havent seen anything yet thats led me to believe this was caused by a new or unpublished vulnerability. This is probably an issue where people havent been keeping their software updated or otherwise following poor security practices.
Sites will get compromised if they arent patched and their software kept up-to-date. Running a website on the Internet is like having a house in a bad neighborhood. People are always trying to break in.
---
Brad Duncan
Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic
References:
[1] https://blog.sucuri.net/2015/10/massive-magento-guruincsite-infection.html
[2] https://blog.malwarebytes.org/exploits-2/2015/10/new-neutrino-ek-campaign-drops-andromeda/
[3] http://malware-traffic-analysis.net/2015/10/21/index.html
[4] https://magento.com/security/news/important-security-update