Full Report
Cybersecurity researchers are warning of a new stealthy credit card skimmer campaign that targets WordPress e-commerce checkout pages by inserting malicious JavaScript code into a database table associated with the content management system (CMS). "This credit card skimmer malware targeting WordPress websites silently injects malicious JavaScript into database entries to steal sensitive payment
Analysis Summary
# Tool/Technique: Stealthy WordPress Credit Card Skimmer (Database Injection)
## Overview
A stealthy credit card skimmer campaign targeting WordPress e-commerce checkout pages. The malware achieves persistence and evades detection by injecting malicious JavaScript code directly into a WordPress database table (`wp_options` using the "widget\_block" option). This script activates only on checkout pages to steal payment details or capture data from legitimate payment fields.
## Technical Details
- Type: Malware (Specifically, a Web Skimmer/Magecart variant)
- Platform: WordPress (PHP/JavaScript environment)
- Capabilities: Injecting malicious scripts via the database, dynamically creating fake payment forms, real-time data capture from legitimate forms, multi-layer encryption/obfuscation, exfiltration to C2 server.
- First Seen: Recent campaign identified by Sucuri researchers.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access** (Relevant if the attacker gains initial access to inject the script)
- **TA0003 - Persistence**
- T1573.003 - Continue on System: Bypassing Application Allowlisting (By hiding the script in a database option)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Sending data via HTTP/HTTPS requests)
## Functionality
### Core Capabilities
- **Persistence via Database:** Injects malicious JavaScript into the `wp_options` table under the `widget_block` option, hiding it from file scanners.
- **Targeted Activation:** The script checks if the current page is a checkout page before executing.
- **Data Harvesting:** Captures sensitive payment details (Credit Card Number, Expiration Date, CVV, Billing Information).
### Advanced Features
- **Form Hijacking/Injection:** Either dynamically creates a bogus payment screen mimicking Stripe or captures data entered in real-time on legitimate payment fields.
- **Data Obfuscation:** Data is processed through three layers of obfuscation for exfiltration resistance:
1. Encoded as JSON.
2. XOR-encrypted with the key "script".
3. Final Base64-encoding.
- **Compatibility:** Designed to work with various payment processors on the checkout page.
## Indicators of Compromise
- File Hashes: Not specified openly in the context, as the payload lives in the DB.
- File Names: N/A (The malicious code resides in the database).
- Registry Keys: N/A (Web context).
- Network Indicators:
- C2 Server 1: `valhafather[.]xyz`
- C2 Server 2: `fqbe23[.]xyz`
## Associated Threat Actors
- Unattributed financial threat actors utilizing Magecart-like TTPs against WordPress.
## Detection Methods
- Signature-based detection: Ineffective due to data stored in the database and obfuscation layers.
- Behavioral detection: Monitoring for JavaScript loading on checkout pages initiated from unexpected database options.
- YARA rules: Not generated specifically, but YARA rules targeting the unique XOR key ("script") or data structures might be applicable.
## Mitigation Strategies
- **Database Integrity Checks:** Regularly audit the `wp_options` table, specifically looking for unusually long or encoded values stored against the `widget_block` option.
- **Web Application Firewall (WAF):** Implement WAF rules that inspect outgoing traffic from the web server for suspicious outbound connections to the identified C2 domains.
- **Principle of Least Privilege:** Restrict database access credentials.
- **Minimize Widgets:** Review and limit the use of complex HTML or block widgets that could serve as injection vectors.
## Related Tools/Techniques
- **Magento Skimmer Campaign:** A similar campaign highlighted against Magento checkout pages that used JSON, XOR encryption, and Base64 encoding before exfiltration to `staticfonts[.]com`. (Indicates shared tooling/TTPs across e-commerce platforms).