Context
On August 9, 2023, Akamai researchers reported a campaign they dubbed “Xurum,” which leverages the “patched critical security flaw (CVE-2022-24086, CVSS score: 9.8) in Adobe Commerce and Magento Open Source that, if successfully exploited, could lead to arbitrary code execution.”
Technical Details
Key takeaways from the Akamai report include:
- “We have observed activity in this campaign since at least January 2023. The attacker seems to be interested in payment stats from the orders in the victim’s Magento store placed in the past 10 days.
- The attacker registers a new Magento component and masks it as “GoogleShoppingAds.”
- The attacker uses an advanced web shell named “wso-ng” that is activated only when the attacker sends the cookie “magemojo000” to the backdoor “GoogleShoppingAds” component.
- The web shell login page masquerades as an error page containing a hidden login form that attempts to glean victim credentials.
- The attacker creates a backdoor admin user in Magento, named “mageplaza” or “mageworx,” as another deception trick as those are the names of the popular Magento extensions stores.
- The attacker uses the older Dirty COW exploit (CVE-2016-5195) to attempt privilege escalation within Linux.
- Evidence indicates Russian origins for this threat.
- Some of the websites involved in this campaign were observed to be infected with simple JavaScript-based skimmers with no attempt to obfuscate or hide its existence.”
IOCs
Indicator | Type |
104[.]36[.]229[.]168 | Attacking IP |
95[.]216[.]95[.]178 | Attacking IP |
95[.]216[.]94[.]99 | Attacking IP |
65[.]21[.]85[.]21 | Attacking IP |
xurum[.]com | Malware hosting domain |
/var/www/html/vendor/magento/google-shopping-ads/registration[.]php | File name |
mageworx | Magento user |
mageplaza | Magento user |
developer@mageplazza[.]com | Email address |
support@magaworx[.]com | Email address |
