Sansec Threat Research team stated that, “This innovative malware injects itself into a host Nginx application and is practically unnoticeable. The parasite, also known as’server-side Magecart,’ is used to steal data from eCommerce servers.”
E-commerce platforms in the United States, Germany and France have been targeted by a new type of malware that uses Nginx servers to hide its existence and avoid detection by security solutions.
According to the researchers analysis and posted on the internet ,”NginRAT essentially hijacks a host Nginx application in order to conceal its presence. NginRAT accomplishes this by modifying the core functionality of the Linux host system. NginRAT injects itself when the legitimate Nginx web server uses such functionality (for example, dlopen). As a result, a remote access trojan is embedded in the Nginx process. Numerous Nginx processes can be found on a typical eCommerce web server. And the rogue Nginx resembles the others.”
The remote access trojan is delivered through CronRAT, another piece of malware disclosed last week by the Dutch cybersecurity firm as hiding its malicious payloads in cron jobs scheduled to run on February 31st, a non-existent calendar day.
CronRAT and NginRAT are both designed to provide a remote way into compromised servers, and the goal of the intrusions is to make server-side changes to compromised e-commerce websites that allow the adversaries to exfiltrate data by skimming online payment forms.
NginRAT hides in a legitimate Nginx host process, and a /proc/PID/exe will point to Nginx. Another trick that complicates malware analysis is that the library code is only written in memory and cannot be examined after it is launched.
Finally the researchers concluded that “The most recent techniques include compromising vulnerable versions of e-commerce platforms, hosting skimmer scripts on CDNs and cloud services and hosting malicious skimmer scripts on newly registered domains (NRDs) lexically close to any legitimate web service or specific e-commerce store.”