Warning: fake Magento patch 9789 contains virus
Update May 21st: a similar phishing mail circulates about a fake patch SUPEE-1798.
Update Apr 22nd: added reference to Neutrino Bot and POS systems
This week a mail was sent out to announce the new Magento patch SUPEE-9789. It is fake and it contains malware. There is no patch 9789. The message (full headers below) mimics an official Magento accouncement. It has two malicious payloads:
- An attached Word document with macro, identified as virus
- A request to run webpos.exe, which was identified as a new variety of the notorious Neutrino Bot (VirusTotal, Malwr).
Fake #Magento patch contains malware:
Neutrino Bot aka #Kasidet, blog by @gwillem:https://t.co/o32MSYlLPx
IOCs: https://t.co/UyxSJJPEgz— Bart (@bartblaze) April 21, 2017
This specific malware is known to target POS systems, a.k.a. cash registers. Among other things, it will harvest payment data and passwords, and enslave the cash register into a botnet that can be used for DDoS attacks.
Curiously, the malware is hosted on a server of MageStore, a legitimate vendor of POS systems. It appears that MageStore runs a vulnerable version of ProFTPd which allows anyone to upload files to their server. Unfortunately, MageStore couldn’t be reached, and the malware is still on their server as of April 22nd.
Please get in touch if you have received this message as we are trying to establish the scope of intended targets. So far, I’ve received reports from extension vendors and hosting providers.
Thanks to Andrew Howden for additional research.
Return-path: <email@example.com> Envelope-to: REDACTED Received: from mail.hal-pc.org ([184.108.40.206]) by REDACTED with esmtp (Exim 4.84_2) (envelope-from <firstname.lastname@example.org>) id 1d1OyU-0001Zw-Go for REDACTED; Fri, 21 Apr 2017 05:11:12 +0200 Received: from mail.hal-pc.org (localhost [127.0.0.1]) by mail.hal-pc.org (Postfix) with ESMTP id 66AD33E8AA7E for <REDACTED>; Thu, 20 Apr 2017 22:11:09 -0500 (CDT) Received: from 220.127.116.11 (unknown [18.104.22.168]) (Authenticated sender: email@example.com) by mail.hal-pc.org (Postfix) with ESMTPA id BA8DF3E8AA7D for <REDACTED>; Thu, 20 Apr 2017 22:11:03 -0500 (CDT) Message-ID: <5BA1E85F5783AD1EC2C78E3226331470@magestore.com> From: "firstname.lastname@example.org" <email@example.com> To: REDACTED Subject: Critical updates for Magento 1.x and Magento 2.x versions - SUPEE-9789 Date: Thu, 20 Apr 2017 20:11:01 -0700 Organization: Magento.com MIME-Version: 1.0