New payment data theft malware lurks in the Nginx process on Linux servers

Ecommerce platforms in the United States, Germany and France have been attacked by a new form of malware that targets Nginx servers in an attempt to disguise its presence and evade detection by security solutions .

“This new code injects into an Nginx host application and is almost invisible,” the Sansec Threat Research team said in a new report. “The parasite is used to steal data from e-commerce servers, also known as ‘server-side magecart’.”

Free and open source software, Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. NginRAT, as the advanced malware is called, works by hijacking an Nginx host application to integrate into the web server process.

GitHub automatic backups

The Remote Access Trojan itself is delivered via CronRAT, another piece of malware that the Dutch cybersecurity company revealed last week as hiding its malicious payloads in cron jobs scheduled to run on February 31. , a non-existent calendar day.

Both CronRAT and NginRAT are designed to provide a remote means of accessing compromised servers, and the goal of intrusions is to make server-side changes to compromised e-commerce websites in a way that allows adversaries to exfiltrate them. data by skimming the online payment. shapes.

The attacks, collectively known as Magecart or web skimming, are the work of a cybercrime syndicate made up of dozens of subgroups involved in digital credit card theft by exploiting software vulnerabilities to access source code. from an online portal and insert malicious JavaScript code that siphons the data that buyers enter on checkout pages.

Prevent data breaches

“Skimmer groups are growing rapidly and targeting various e-commerce platforms using various ways to stay undetected,” Zscaler researchers noted in an analysis of Magecart’s latest trends released earlier this year.

“The latest techniques include compromising vulnerable versions of e-commerce platforms, hosting skimmer scripts on CDNs and cloud services, and using newly registered domains (NRDs) lexically close to any web service. legitimate or specific e-commerce store to host malicious skimmer scripts. “