Jump to content

Edit History

Prescol

Prescol

I spent 6 hours finding the files modified by this trojan who replaces checkout process with its own content to stole credit card or paypal accounts. So, in order to prevent to you more hours of research, here are some tips to find it out.

The attacker injects a code into smarty_cacheresource.php. This code, which is obsuscated in a way only a russian government can do, creates a fake smarty class called smarty_internal_validation, which you will never be able to see because it is created on the fly and PHP is instructed to know how to use it. 
Then, a subtle modification is added into smarty_internal_data::assign() method. The following line is added before assigning a variable. 

$tpl_var = Smarty_Internal_Validate::Validate($tpl_var);

It looks like it is part of Prestashop environment, but is not. This call injects into $hook_header a malicious javascript, which is responsible for replacing the original payment button with the fake one. 

I found the same behavior recently in another shop, but the way they injected the code were much simpler, by decoding a file containing malicious javascirpt within a tpl.

Hope it helps to you if are under the same situation. For me was a pain in the ass spending half day searching it. 

Prescol

Prescol

I spent 6 hours finding the files modified by this trojan who replaces checkout process with its own content to stole credit card or paypal accounts. So, in order to prevent to you more hours of research, here are some tips to find it out.

The attacker injects a code into smarty_cacheresource.php. This code, which is obsuscated in a way only a russian government can do, creates a fake smarty class called smarty_internal_validation, which you will never be able to see because it is created on the fly and PHP is instructed to know how to use it. 
Then, a subtle modification is added into smarty_internal_data::assign() method. The following line is added before assigning a variable. 

$tpl_var = Smarty_Internal_Validate::Validate($tpl_var);

It looks like it is part of Prestashop environment, but is not. This call injects into $hook_header a malicious javascript, which is responsible for replacing the original payment button with the fake one. 

I found the same behavior recently in another shop, but the way they injected the code were much simpler, by decoding a file containing malicious javascirpt within a tpl.

Hope it helps to you if are under the same situation. For me was a pain in the ass spending half day searching it. 

×
×
  • Create New...