Warning: fake Magento patch 9789 contains virus


virus mail

Update May 21st: a similar phishing mail circulates about a fake patch SUPEE-1798.

Update Apr 22nd: added reference to Neutrino Bot and POS systems

This week a mail was sent out to announce the new Magento patch SUPEE-9789. It is fake and it contains malware. There is no patch 9789. The message (full headers below) mimics an official Magento accouncement. It has two malicious payloads:

  1. An attached Word document with macro, identified as virus
  2. A request to run webpos.exe, which was identified as a new variety of the notorious Neutrino Bot (VirusTotal, Malwr).

This specific malware is known to target POS systems, a.k.a. cash registers. Among other things, it will harvest payment data and passwords, and enslave the cash register into a botnet that can be used for DDoS attacks.

Curiously, the malware is hosted on a server of MageStore, a legitimate vendor of POS systems. It appears that MageStore runs a vulnerable version of ProFTPd which allows anyone to upload files to their server. Unfortunately, MageStore couldn’t be reached, and the malware is still on their server as of April 22nd.

Please get in touch if you have received this message as we are trying to establish the scope of intended targets. So far, I’ve received reports from extension vendors and hosting providers.

Thanks to Andrew Howden for additional research.

Full headers:

Return-path: <info@magestore.com>
Envelope-to: REDACTED
Received: from mail.hal-pc.org ([66.187.70.28])
	by REDACTED with esmtp (Exim 4.84_2)
	(envelope-from <info@magestore.com>)
	id 1d1OyU-0001Zw-Go
	for REDACTED; Fri, 21 Apr 2017 05:11:12 +0200
Received: from mail.hal-pc.org (localhost [127.0.0.1])
	by mail.hal-pc.org (Postfix) with ESMTP id 66AD33E8AA7E
	for <REDACTED>; Thu, 20 Apr 2017 22:11:09 -0500 (CDT)
Received: from 144.217.200.38 (unknown [5.189.203.59])
	(Authenticated sender: jstan@hal-pc.org)
	by mail.hal-pc.org (Postfix) with ESMTPA id BA8DF3E8AA7D
	for <REDACTED>; Thu, 20 Apr 2017 22:11:03 -0500 (CDT)
Message-ID: <5BA1E85F5783AD1EC2C78E3226331470@magestore.com>
From: "info@magento.com" <info@magestore.com>
To: REDACTED
Subject: Critical updates for Magento 1.x and Magento 2.x versions - SUPEE-9789
Date: Thu, 20 Apr 2017 20:11:01 -0700
Organization: Magento.com
MIME-Version: 1.0
Hacked store? Hire me! And get updated on new posts via Twitter: