{
	"id": "b1c75656-81b8-4984-aef2-233dd916279d",
	"created_at": "2026-04-06T00:18:58.595696Z",
	"updated_at": "2026-04-10T13:11:56.893486Z",
	"deleted_at": null,
	"sha1_hash": "22f73a673b94190f29938f6ee82dbbb5afd3d95f",
	"title": "Magecart Swiper Uses Unorthodox Concatenation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1409282,
	"plain_text": "Magecart Swiper Uses Unorthodox Concatenation\r\nBy Ben Martin\r\nPublished: 2021-07-07 · Archived: 2026-04-05 16:52:31 UTC\r\nMageCart is the name given to the roughly one dozen groups of cyber criminals targeting e-commerce websites\r\nwith the goal of stealing credit card numbers and selling them on the black market. They remain an ever-growing\r\nthreat to website owners. We’ve said many times on this blog that the attackers are constantly using new\r\ntechniques to evade detection. In this post I will go over a case involving one such MageCart group.\r\nA Hacked Magento Website\r\nSome time ago a client of ours came to us with a heavily infected Magento e-commerce website from where credit\r\ncard details were being stolen. Our initial actions removed a tremendous amount of malware, including six\r\ndifferent types of Magento credit card swipers. The client was stuck in an old version of Magento unable to\r\nupgrade for a couple reasons that we will get into later.\r\nTheir version of Magento was nearly 7 years old and missing a plethora of security patches. Sadly this is all too\r\ncommon in the Magento-sphere as it’s common for business owners to pay a small fortune for a custom coded\r\nwebsite and then not have sufficient funds to hire the developer back once their site becomes out-of-date and\r\nvulnerable. In fact, it can cost anywhere from $5,000 to $50,000 to migrate a Magento 1 website (which had its\r\nend of life in 2020) to the more-secure Magento 2. For a lot of website owners this is just not feasible. What’s\r\nworse is that Adobe (the owner of the Magento open-source CMS, likely in their effort to force website owners to\r\nupgrade) actually took the security patches for Magento 1 offline. They are still available on Github but not from\r\nan official source.\r\nAdding Credit Card Details to Image Files\r\nOne tactic that some Magecart actors employ is the dumping of swiped credit card details into image files on the\r\nserver avoid raising suspicion. These can later be downloaded using a simple GET request at a later date. For\r\nexample:\r\nwget hxxps://www.compromised-website[.]com/path/to/cc/dump/arrow.gif\r\nWe have documented how credit card credentials are saved in image files in the past on this blog.\r\nImage Files with base64 Encoded Data\r\nBack to the infection: After our initial sweep for malware we noticed that there were two image files on the server\r\nthat continued to be populated with chunks of base64 encoded data. When decoded to plain text they were clearly\r\nhttps://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html\r\nPage 1 of 8\n\ncredit card and cvv numbers, billing addresses, expiration dates and a lot more. There was something more to be\r\nfound here.\r\nThe first thing I did was to query the website files for the name of one of the images:\r\n“arrow.gif”\r\nThat was a pretty basic attempt and I’m not surprised that didn’t come up with anything. The attackers stopped\r\nleaving their target files in plain text in their payloads a long time ago but I had to try just in case!\r\nI also tried querying the server for recently modified files but as you can imagine there was a lot of content to go\r\nthrough even after excising the obvious extension updates (especially considering that this was a very large\r\nMagento environment).\r\nCore File Integrity Check\r\nOne of our most useful methods in finding new, previously undetected malware strains is a core file integrity\r\ncheck. What this does is it compares the hashes of the core CMS files on the server to known good copies. If there\r\nis a mismatch (code or files added, modified or removed) then it’s worth checking out to see precisely why there is\r\na mismatch. In this case, there was still a tremendous amount of files to go through.\r\nFortunately I was pretty sure that this was a PHP injection (rather than javascript) based on how this malware was\r\nbehaving so I knew to start looking there. Typically with javascript malware you are able to see it loading in the\r\nbrowser or it would show up in an external scan but that was not the case here.\r\nWith Magecart malware the files infected need to be involved in the checkout process somehow in order to work.\r\nThe attackers can’t just infect any random file; it has to handle payment information somehow. For this reason we\r\ntend to see the same files get infected over and over again. One such file is the following:\r\n./app/code/core/Mage/Admin/Model/Session.php\r\nI noticed that this file came up in the core integrity check as having been changed from the original. Sure enough,\r\nthere was our culprit:\r\nhttps://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html\r\nPage 2 of 8\n\nSome very ugly but cleverly written PHP code using multiple types of obfuscation\r\nLet’s take apart this malware, shall we?\r\nAnother Analysis of a Credit Card Swiper\r\nThe first thing that we are going to want to do is see what we can get out of this big ole’ chunk of code at the top\r\nhere:\r\nThis is likely where the meat and potatoes of our malware is. First thing’s first: this looks like a base64 encoded\r\nstring, so let’s try to decode it and see what we get:\r\nhttps://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html\r\nPage 3 of 8\n\nComplete rubbish\r\nWell, that’s not very useful is it? Another popular method of encoding data alongside base64 is gzinflate. Once we\r\nadded that function to the decoding process and echoed out the results in a safe, sandbox environment we got the\r\nfollowing:\r\nOk, now we’re getting somewhere!\r\nThis at least gives us something that uses normal letters and numbers that could be typed on a keyboard if you felt\r\nso inclined. One distinct thing I notice about this is that it starts with two equals signs. In base64 encoding these\r\nequals signs always occur at the end of the sample, not the beginning. So let’s go ahead and reverse the string and\r\nthen run that through a base64 decoder again:\r\nhttps://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html\r\nPage 4 of 8\n\nBingo! There’s our arrow.gif at the bottom.\r\nHowever, that tells only part of the story. What about this part of the infection?\r\nThis is the part of the code from which the title of this article was derived. The attackers are using what’s called\r\n“concatenation” here, which is a very common obfuscation technique that we see a lot. Normally it looks\r\nsomething like this:\r\n\u003c?php echo \"\".\"h\".\"e\".\"\".\"\".\"llo\".\"w\".\"o\".\"\".\"\".\"r\".\"l\".\"d\".\"\";\r\nWhereas the server would interpret that as simply “helloworld”.\r\nHiding Malware with Comment Chunks\r\nWe already know to look for this type of obfuscation and the attackers know this. In this case they have added\r\nsome additional comment chunks (the grey areas in the above image). That part of the code does not functionally\r\ndo anything but it adds a layer of obfuscation making it somewhat more difficult to detect. So when we would do\r\nour normal check for concatenated code and search for something like:\r\n\".\"\".\"\".\"\r\nIt would return nothing.\r\nhttps://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html\r\nPage 5 of 8\n\nLet’s use a simple regular expression to remove those useless comment chunks and see what we get. We are going\r\nto use the following regex for that:\r\n'\\/\\*\\w+\\*\\/.'\r\nThe result is as follows:\r\nStill encoded, but no longer concatenated. We can see that it is further using the eval base_64decode function to\r\nfurther obfuscate what it is doing but this is the part of the code where the randomly named variables are stored.\r\nNext Steps on the Magecart Swiper Journey\r\nThis solved only half of our puzzle as there was still another image file present on the server that was getting\r\nbase64 encoded credit card details dumped into it. There must be something else to find!\r\nBorrowing an old technique I used back in 2019 to find a series of backdoors (fifteen variations on one website to\r\nbe precise) I decided to query the file system for some “micropatterns” that might yield some more results. If this\r\nSession.php file used this type of concatenation, maybe the attacks were using the same patterns in another file?\r\nThe winning query was as follows:\r\n*/.'_'/*\r\nThis is a weird series of special characters unlikely to be present in a normal file. It also avoids relying on the\r\nrandomly generated junk populating the concatenated commented-out chunks and instead focuses on the\r\nconcatenation itself. Sure enough, here it was:\r\n./app/code/core/Mage/Bundle/Model/Observer.php\r\nhttps://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html\r\nPage 6 of 8\n\nThat’s the tea!\r\nThere we have it! It has the same patterns to the file, same encoding types, just slightly different content, and this\r\ntime writing to a following bogus css file:\r\n./skin/install/default/default/css/default.css\r\nThe advantage for this type of infection for the attackers is that the stolen credit card details can still be obtained\r\nwith a simple GET request by downloading the bogus file even after they have been locked out of the server due\r\nto a simple password change or something similar.\r\nIn Conclusion\r\nMageCart is an ever growing threat to e-commerce websites. From the perspective of the attackers: the rewards\r\nare too large and consequences non-existent, why wouldn’t they? Literal fortunes are made stealing and selling\r\nstolen credit cards on the black market. In fact, fascinatingly, the black market functions much like the legitimate\r\nmarket: software developers sell exploit kits to those who want to profit off of compromising websites. Telephone,\r\nchat and email support is provided to those customers aiming to exploit vulnerable websites for a profit. Once the\r\nstolen credit card details are exfiltrated they are sold on the black market to illicit consumers for a profit.\r\nAs more and more commerce is conducted online we can only expect the attacks on websites to escalate and more\r\nplayers enter the already-crowded field of MageCart. The fact that it’s not uncommon for us to see an infected\r\nwebsite with multiple different credit card swipers present on them seems to suggest that vulnerable websites are\r\nbeing targeted by multiple different groups all at the same time.\r\nThe company RiskIQ in their outstanding report on Magecart shows a great sort of taxonomy of those engaged in\r\nthese credit card theft cases. At the time of writing it there were roughly 7 distinct groups engaging in swiping\r\ncredit card details from unsuspecting websites. Although attribution in the website security world is always\r\nhttps://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html\r\nPage 7 of 8\n\nchallenging (or impossible) the example above looks to be the distinct work of Group number 7. Since that report\r\nwas issued quite a few more groups have entered the game, including one (possibly Canadian?) recently\r\ndocumented making for what is currently a crowded threat landscape.\r\nOne point to note is that it’s not only groups that carry out these kinds of attacks, there are also individuals on this\r\nlandscape which makes the actual number of actors in this landscape quite high and impossible to predict.\r\nHow do I protect my website?\r\nThis boils down to some core principles that we have been stating on this blog for a very long time:\r\n1. Keep your website up to date and install all software updates as soon as you can\r\n2. Use long, complex passwords\r\n3. Use secure workstations to administer your website\r\n4. Use a secure hosting environment\r\n5. Lock down your administration panel with additional safeguards\r\n6. Put your website behind a firewall to prevent attacks\r\nWebsites are very complicated things and can become compromised in many different ways. We have always\r\nrecommended defence in depth. Expect the worst but hope for the best! Every hard drive can fail, every database\r\ncan crash, every security rule in place can be breached or broken. The goal should be to have as many security\r\nrules in place as possible; if one fails, others can still succeed and it doesn’t come down to a single point of failure.\r\nThis doesn’t make for a convenient website administration experience but it’s better than suffering the\r\nconsequences of a compromise!\r\nStay tuned for more website security content!\r\nSource: https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html\r\nhttps://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html"
	],
	"report_names": [
		"magecart-swiper-uses-unorthodox-concatenation.html"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434738,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/22f73a673b94190f29938f6ee82dbbb5afd3d95f.pdf",
		"text": "https://archive.orkl.eu/22f73a673b94190f29938f6ee82dbbb5afd3d95f.txt",
		"img": "https://archive.orkl.eu/22f73a673b94190f29938f6ee82dbbb5afd3d95f.jpg"
	}
}