Persistent Magento backdoor hidden in XML
released on 2024-04-10 @ 05:50:17 PM
Attackers are using a new method for malware persistence on Magento servers. Sansec discovered a cleverly crafted layout template in the database, which was used to automatically inject malware. The attackers combine the Magento layout parser with the beberlei/assert package to execute system commands, adding a backdoor to the CMS controller. This leads to a remote code execution backdoor which can be used to inject a fake Stripe payment skimmer.