Connect with us

Hi, what are you looking for?



Self-Healing Malware Hits Magento Stores

A newly discovered piece of malware targeting Magento stores has a self-healing routine to restore itself after deletion, security researchers have discovered.

A newly discovered piece of malware targeting Magento stores has a self-healing routine to restore itself after deletion, security researchers have discovered.

Self-healing malware isn’t new, with the first such threat reportedly spotted nearly three decades ago, as the memory-residing Trojan called Yankee Doodle, which could infect .com and .exe files. Discovered in September 1989, this piece of malware would play the tune “Yankee Doodle” every day at 17:00 if it was in memory.

Discovered by Jeroen Boersma, the recently spotted Magento-targeting malware is using a database trigger to restore itself in the event it has been deleted: every time a new order is made, injected SQL code searches the compromised Magento installation and, if it doesn’t find the malware, it re-adds it. The malware leverages SQL stored procedures for this operation.

According to Willem de Groot, who analyzed the threat, the malware’s infection point was a brute force attack on /rss/catalog/notifystock/ where the compromised shop was “otherwise completely patched.”

De Groot notes that the malware’s behavior renders previous cleaning routines useless, because removing the malicious code from the infected records will no longer ensure that the infection is gone. This would only work for regular Javascript-based malware, which normally gets injected in the static header or footer HTML definitions in the database.

The newly observed malware ensures that the self-healing trigger is executed every time a new order is made. “The query checks for the existence of the malware in the header, footer, copyright and every CMS block. If absent, it will re-add itself,” the security researcher explains.

According to de Groot, malware detection should now include database analysis as well, because file scanning is no longer efficient. “This discovery shows we have entered a new phase of malware evolution,” he notes.

Advertisement. Scroll to continue reading.

The security researcher, who says this is the first malware written in SQL he has encountered to date, explains that, while Magento Enterprise and some community extensions contain legitimate triggers, Magento store owners should be able to detect the malware by searching for suspicious SQL code, “such as anything containing admin, .js, script or < (html tags).”

The researcher, who updated his Malware Scanner to detect the new patterns, also provides instructions on how to remove the infection after discovering suspicious code in a Magento installation. Magereport was also updated with the new patterns, he said.

Related: Magento Malware Hides Stolen Card Data in Image Files

Related: Attackers Disguise Malware as Magento Patch

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...