Cybersecurity Insights | Blog | Foregenix

Magento Injected Table Malware

Written by Kieran Murphy | 4/15/15 3:50 PM

Foregenix have recently identified malware that is specifically aimed at the Magento eCommerce platform. The malicious code which is obfuscated on several layers, once inserted in to a php file, creates a table within the MySQL database which then encrypts payment card details and stores them within the newly created table.

The malware contains coding which allows the attacker to access the table within the database and recover the encrypted payment card data.

Detection

You can detect the malicious code by looking for the following within your website’s directory:

The file containing the code was called Mage.php and was located within the web root under /app/ (Note that this is a legitimate file. Presence of this file alone doesn't indicate you've been compromised, only if it's been modified), and the table name in this case was ‘catalog_product_index_price_tmp_idx’. The naming convention of the table is similar in nature to those already in existence.

Again, this is Magento specific although other instances may not be identical to this.

Alternatively, our Vngo Alert solution would also detect this malicious file for Magento or malicious files in other platforms. You can sign up for a free trial to detect the malware here.

We are still finding out the details of this malicious code, and will add more information in the coming weeks.