By utilizing the swap file of a Magento e-commerce website, attackers were able to use a persistent credit card skimmer script to steal credit card information.
It was obfuscated with base64 encoded variables and hex encoded strings, resided within the checkout page source code and monitored for credit card information, while the malware’s persistence allowed it to survive multiple clean-up attempts.
An injected script manipulates a compromised checkout page’s button to steal credit card information, and upon clicking the button, the script utilizes querySelectorAll to capture form data like name, address, and card number.
A malicious domain, likely registered to evade detection due to its brand name resemblance, is used to exfiltrate the stolen credit card details, highlighting the increasing use of Magecart-style attacks that target checkout processes to steal sensitive customer information.
Investigators traced the malicious checkout page script back to a modified Magento app/bootstrap.php file. Decoding the replaced file revealed the same malicious script and a curl function used to steal data.
Using the ob_filter_callback function, the attackers were able to inject the skimmer script into checkout pages, which are URLs that contain the word “checkout” and are accessed through GET requests.
The team attempted to remove malware by replacing a compromised bootstrap.php file. Even though the file appeared clean when directly viewed on the server via SSH, malware detection tools still flagged it as infected.
Further investigation by Sucuri Blog revealed the malware was hooking into file session data and persisting in memory. Rebooting Apache, PHP services, and the server itself couldn’t clear the infection.
A malware-infected script found a reference to a hidden “swapme” file. While no file by that name existed, it was discovered that a swap file—a temporary backup created during editing—named “bootstrap.php-swapme” contained the malicious code.
This hidden swap file allowed the malware to persist even after the original script was cleaned, evading standard detection methods, while removing the swap file and clearing caches ultimately eliminated the infection.
An attacker’s manipulation of the swap file emphasizes the need for robust security beyond basic scans, and by exploiting SSH or a terminal session, the attacker gained access and edited a file, creating a swap file that wouldn’t be identified by surface-level scans.
The significance of layered defenses that look beyond data that is readily visible to uncover modifications that are hidden is highlighted by this incident.