Last Updated: 2015-10-22 00:12:48 UTC
by Brad Duncan (Version: 1)
Earlier this week, various blogs began reporting about compromised Magento-based e-commerce websites. These compromised sites kicked off infection chains for Neutrino exploit kit (EK). I've seen a few examples of this traffic leading to a Neutrino EK landing page, all dated last week.
Sucuri's blog has information concerning the compromised Magento servers , while the Malwarebytes blog shows traffic from a compromised Magento site leading to Neutrino EK . The Malwarebytes blog illustrates the flow of traffic for these Neutrino EK infection chains. The examples I've seen were similar, so let's review the traffic.
Chain of events
The example I can share doesn't have a full infection chain, but it shows the same traffic patterns as the Malwarebytes blog entry.
Shown above: Traffic from the Malwarebytes blog entry .
Last week's chain of events appears to be:
- Bad actors behind this campaign compromise a Magento website.
- Pages from compromised sites have injected script pointing to a URL at guruincsite.com.
- The URL to guruincsite.com returns an iframe pointing to a second malicious domain.
- Second malicious URL returns HTML redirecting to a third URL ending with neitrino.php.
- Neitrino.php from the third malicious domain returns an iframe to a Neutrino EK landing page.
I've represented the traffic in a flow chart:
Examining the traffic
Upon closer examination, last week's traffic followed specific URL patterns. The HTTP GET request to guruincsite.com returned an iframe containing a URL ending with /app/?d22H.
The HTTP GET request to the second URL ending with /app/?d22H returned HTML redirecting to another URL ending with neitrino.php (which I assume has a mistakenly spelled "neutrino").
The HTTP GET request to the third URL ending with neitrino.php returned an iframe pointing to a Neutrino EK landing page.
I can't provide any pcaps related to the recent wave of Magento site compromises, although I did find some Neutrino EK from a different actor on Wednesday 2015-10-21 .
The compromised websites that Magento has investigated were not up-to-date. They all needed a patch that was published earlier this year . I haven't seen anything yet that's led me to believe this was caused by a new or unpublished vulnerability. This is probably an issue where people haven't been keeping their software updated or otherwise following poor security practices.
Sites will get compromised if they aren't patched and their software kept up-to-date. Running a website on the Internet is like having a house in a bad neighborhood. People are always trying to break in.