More and more attackers are shifting their attention towards online e-commerce platforms, where they found fertile ground for exfiltrating payment card data which they later sell on hacking forums.

These incidents are called Magecart and although they date back to 2016, cybersecurity researchers from US-based web security firm Sucuri discovered a new exfiltration technique when investigating a compromised online store running version 2 of the open-source Magento e-commerce platform. Hackers who gain access to an online store through a vulnerability or weakness install malicious code meant to steal customer card details at checkout.

The process is called steganography and it involves hiding malicious code inside an image or a music file’s source code. Among hacking groups, the technique is not very common because it’s incredibly difficult to introduce text inside an image’s source code without corrupting the actual image file. However, it was recently revealed that threat actor ObliqueRAT infiltrates into victims’ endpoints through steganography.

Sucuri researchers revealed that they encountered a Magento store that had been compromised by attackers, who altered a core CMS file, Cc.php, responsible for handling credit card data. The hackers added extra code to the file, recording the payment card details users entered in the checkout form and saving it at the end of a local image.


What was odd about this case was that hackers were somehow able to fill up a large number of payment card details inside the image without altering its content. Usually, when attackers use steganography, they choose to modify simplistic images to avoid corrupting the data. However, this time they altered a high-resolution file, which normally would have been very easy to mess up.


Nearly all of the information submitted by the victim on the checkout page is stored within the Customer_ parameter, including full names and addresses, payment card details, telephone numbers, and user agent details. This data is extremely valuable for the attacker. Not only can it be used for credit card fraud, but also spam or targeted phishing campaigns.Luke Leal, Sucuri
Heimdal Official Logo
Antivirus is no longer enough to keep an organization’s systems secure.

Heimdal® Threat Prevention - Endpoint

Is our next gen proactive DNS-Layer security that stops unknown threats before they reach your system.
  • Machine learning powered scans for all incoming online traffic;
  • Stops data breaches before sensitive info can be exposed to the outside;
  • Advanced DNS, HTTP and HTTPS filtering for all your endpoints;
  • Protection against data leakage, APTs, ransomware and exploits;
Try it for FREE today 30-day Free Trial. Offer valid only for companies.

What is interesting about these attacks is the fact that the image was related to the products sold on the victim’s website. Website owners wouldn’t have seen the difference if they came across this image and opened it to assure it worked. Had they inspected the site’s logs for suspicious activity, they would have seen “another” site visitor download “another” image, which for some stores happens multiple times every hour.
In this situation, all the hacker had to do was to access this image, download it, and exfiltrate the data found at the end of the JPG’s source code without raising website owners’ suspicions.

Security checks and website monitoring services are strongly recommended, as they are able to detect changes such as code modifications or new files being added.

ObliqueRAT Infiltrates into Victims’ Endpoints Using Malicious Documents

Leave a Reply

Your email address will not be published. Required fields are marked *