New Payment Data Stealing Malware Hides in Nginx Process on Linux Servers

Khushi Jain

December 4, 2021

A new form of malware that targets Nginx servers has been attacking E-commerce platforms in the U.S., Germany, and France in an attempt to masquerade its presence and slip past detection by security solutions. Nginx, a free and open-source software, is a web server that can also be used as a reverse proxy, load balancer, mail proxy, and HTTP cache. NginRAT, the malware, works by hijacking a host Nginx application to embed itself into the webserver process and is nearly invisible. This remote access trojan is delivered via CronRAT, another piece of malware the Dutch cybersecurity firm disclosed last week, which has been hiding its malicious payloads in cron jobs scheduled to execute on February 31st, a non-existent calendar day. Both CronRAT and NginRAT are designed such that they provide a remote way into the compromised servers, and the goal of the intrusions is to make server-side modifications to the compromised e-commerce websites in a manner that enable the adversaries to exfiltrate data by skimming online payment forms. A cybercrime syndicate comprised of dozens of subgroups are responsible for these e-commerce attacks, collectively known as Magecart or web skimming.

Abridged fromThe Hacker News