Ecommerce platforms in the United States, Germany and France have been attacked by a new form of malware that targets Nginx servers in an attempt to disguise its presence and evade detection by security solutions .
âThis new code injects into an Nginx host application and is almost invisible,â the Sansec Threat Research team said in a new report. “The parasite is used to steal data from e-commerce servers, also known as ‘server-side magecart’.”
Free and open source software, Nginx is a web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. NginRAT, as the advanced malware is called, works by hijacking an Nginx host application to integrate into the web server process.
The Remote Access Trojan itself is delivered via CronRAT, another piece of malware that the Dutch cybersecurity company revealed last week as hiding its malicious payloads in cron jobs scheduled to run on February 31. , a non-existent calendar day.
Both CronRAT and NginRAT are designed to provide a remote means of accessing compromised servers, and the goal of intrusions is to make server-side changes to compromised e-commerce websites in a way that allows adversaries to exfiltrate them. data by skimming the online payment. shapes.
âSkimmer groups are growing rapidly and targeting various e-commerce platforms using various ways to stay undetected,â Zscaler researchers noted in an analysis of Magecart’s latest trends released earlier this year.
âThe latest techniques include compromising vulnerable versions of e-commerce platforms, hosting skimmer scripts on CDNs and cloud services, and using newly registered domains (NRDs) lexically close to any web service. legitimate or specific e-commerce store to host malicious skimmer scripts. “