Dozens of online stores were hacked by a new Magecart group, and the list of victim websites was inadvertently leaked. The threat actors have access to the websites and used an unnamed Remote Access Trojan (RAT) to maintain persistence in their victims’ network. According to researchers at Sansec, a company focused on protecting e-commerce companies, the threat actors made a mistake in their dropper’s code and stored a list of all their victims within the code. Sansec analyzed a copy of the RAT dropper and found the list of 41 websites. According to the researchers, it is likely the author of the malware made this mistake because they have little experience with PHP code. The RAT had a few interesting features including evasion techniques designed to camouflage the RAT as a DNS or an SSH server daemon, so it does not stand out in the server’s process list. The malware also runs in sleep mode except for once a day when it becomes active to connect to the Command and Control (C2) server and ask for commands.
12 Essentials for a Successful SOC Partnership
As cyber threats continue to impact businesses of all sizes, the need for round-the-clock security