{
	"id": "a31c0c61-b96f-4567-bc8a-e4f25df5d9c7",
	"created_at": "2026-04-06T00:21:28.126401Z",
	"updated_at": "2026-04-10T03:24:11.721387Z",
	"deleted_at": null,
	"sha1_hash": "531c19e274be634c24a91885b2de098576169425",
	"title": "Water Pamola Attacked Online Shops Via Malicious Orders",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 644720,
	"plain_text": "Water Pamola Attacked Online Shops Via Malicious Orders\r\nBy By: Joseph C Chen Apr 28, 2021 Read time: 7 min (1791 words)\r\nPublished: 2021-04-28 · Archived: 2026-04-05 14:55:53 UTC\r\nSince 2019, we have been tracking a threat campaign we dubbed as “Water Pamola.” The campaign initially\r\ncompromised e-commerce online shops in Japan, Australia, and European countries via spam emails with\r\nmalicious attachments.\r\nSince 2019, we have been tracking a threat campaign we dubbed as “Water Pamola.” The campaign initially\r\ncompromised e-commerce online shops in Japan, Australia, and European countries via spam emails with\r\nmalicious attachmentsopen on a new tab.\r\nHowever, since early 2020, we’ve noticed some changes to Water Pamola’s activity. Victims are now mainly\r\nlocated only in Japan. Recent telemetry data indicates that the attacks are not being launched via spam anymore.\r\nInstead, malicious scripts are being executed when the administrators look into customer orders in their online\r\nshop’s administration panel.  \r\nFigure 1. The Water Pamola attack chain\r\nAfter further searching, we noticed that an online store administrator asked about a strange online orderopen on a\r\nnew tab that contains JavaScript code inserted into the field where the customer’s address or company name\r\nwould normally be located. This script is likely activated by exploiting a cross-site scriptingopen on a new tab\r\n(XSS) vulnerability in the said store’s administration portal.\r\nhttps://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html\r\nPage 1 of 9\n\nFigure 2. The question asked on a forum showing the payload related to Water Pamola.\r\nThe above is a screenshot of the text in a forumopen on a new tab, which is translated by Google Translate as\r\nProblem, there is an order that seems to be a mischievous order. The following characters are included in the\r\naddress and company name.\r\nThe script connects to the Water Pamola’s server and downloads additional payloads. Taken together, this led us to\r\nbelieve that Water Pamola places orders with this embedded XSS script across many targeted online shops. If they\r\nare vulnerable to this XSS attack, these will be loaded when the victim (i.e., an administrator at the targeted\r\nmerchant) opens the order within their management panel.\r\nWe have collected many attack scripts they delivered to different targets. The malicious behavior performed by the\r\nscripts includes page grabbing, credential phishing, web shell infection, and malware delivery.\r\nThis campaign appears to be financially motivated. In at least one instance, a site that Water Pamola attacked later\r\ndisclosed that they had suffered a data breach. Their server was illegally accessed and personal information, which\r\nincluded names, credit card numbers, card expiration dates, and credit card security codes, were potentially\r\nleaked. This breach might be associated with Water Pamola, and it hints that this campaign’s overall goal is to\r\nsteal the credit card data (similar to Magecart campaigns).\r\nAnalysis of the XSS attack\r\nAs previously mentioned, Water Pamola sent online shopping orders appended with a malicious XSS script to\r\nattack e-commerce administrators.\r\nIt’s worth mentioning that they are not targeting a specific e-commerce framework, but e-commerce systems in\r\ngeneral. If the store’s e-commerce system is vulnerable to XSS attacks, the malicious script will be loaded and\r\nexecuted on the merchant’s management panel once someone (like a system administrator or store employee)\r\nopens the said order.\r\nThese scripts were managed with an XSS attack framework called “XSS.MEopen on a new tab,” which helps\r\nattackers deal with their attack scripts and the stolen information. The source code of this framework is shared\r\nacross many Chinese public forums. The basic attack script provided by the framework could report the victim’s\r\nlocation and browser cookies. We observed that the scripts used during the attacks were customized. The attackers\r\ndelivered a variety of different XSS scripts, which could include one or more of the following behaviors:\r\nPage Grabber\r\nhttps://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html\r\nPage 2 of 9\n\nThe script sends an HTTP GET request to a specified URL address and forwards the received response to Water\r\nPamola’s server. This is usually used during an early stage of the attack to grab content from the victim’s\r\nmanagement page. Doing so allows the threat actor to understand the environment and design attack scripts\r\nappropriate to the victim’s environment.\r\nFigure 3. The script for grabbing page content and sending it back to the attacker\r\nCredential Phishing\r\nSome of the delivered scripts revealed that the campaign was trying to obtain administrator credentials for e-commerce websites using two different approaches. The first way involves appending a fake login form to the\r\npage. The script hooks the mouse click event. If the victim enters the credential in the fake form and clicks\r\nanywhere on the page, the script will take the credentials, encode them using base64, replace some characters with\r\ncustom substrings, and then upload these to Water Pamola’s server.\r\nFigure 4. The script to create and delete fake login form for credential phishing\r\nThe other approach involves showing an authorization error message and then redirecting the user to a phishing\r\nwebsite that asks users to enter their credentials. The subdomains of their phishing sites were configured to match\r\nthe names of the targets’ domain, such as “{victim’s domain}[.]basic-authentication[.]live”.\r\nhttps://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html\r\nPage 3 of 9\n\nFigure 5. The script replaces the page content with an authorization error message and redirects\r\nusers to the phishing website\r\nWebshell/PHP backdoor injection\r\nSome of the delivered malicious scripts attempt to install backdoors to the websites built with the EC-CUBEopen\r\non a new tab framework, which is popular in Japan. The attack we found only works on Series 2 of EC-CUBE; the\r\ncurrent version is Series 4, with Series 2 now under extended support.\r\nThere are three different approaches used to upload the backdoor. The first method is uploading a PHP web shell\r\nfile by calling the native API provided by the framework. The name of the web shell file is hardcoded to be either\r\n“ec_ver.php,” “log3.php,” or “temp.php.” The web shell can execute any PHP code sent by an HTTP POST\r\nrequest to the web shell.\r\nNote the screenshot in Figure 6: The same web shell with the same “only_pcd” keyword is mentioned in this\r\nChinese blog postopen on a new tab. The blog post describes a web shell with two components — a PHP script\r\nand an HTML uploading file — however,  the second one is not needed as the proper POST request can be created\r\nwith any custom or third-party tool (e.g., Fiddler).\r\nFigure 6. The script for uploading the PHP web shell to an e-commerce website\r\nThe second method is modifying the page header to inject PHP code, which will then execute any PHP code, sent\r\nby the parameter “ec_ver2update” in the HTTP request. Note that the PHP code below is obfuscated. First, the\r\n$IDFX variable uses XOR operation (see character ^) to decode the string “create_function”, then the resulting\r\nbase64 string is decoded to @eval($_REQUEST['ec_ver2update']); which is the backdoor’s code.\r\nhttps://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html\r\nPage 4 of 9\n\nFigure 7. The script for modifying the shop page header to inject a web shell\r\nThe third method is installing a malicious plugin embedded in a file named “MakePlugin.tar.gz” to the e-commerce framework. The plugin has been designed to drop multiple PHP web shell files on the server.\r\nFigure 8. The script for uploading and installing the malicious plugin, “MakePlugin.tar.gz”\r\nFigure 9. The malicious plugin installs several files with web shells\r\nMalware Delivery\r\nIn this case, the attack script will show an alert prompt with a message that reads “Your Flash version is too low,\r\nplease install the latest version and try again!” and then redirects the victim to the fake Flash installer download\r\nwebsite they control. (Note that Flash has been declared end-of-life by Adobe since December 31, 2020open on a\r\nnew tab.)\r\nIf the victim downloads and executes the installer downloaded from this page, the victim will be infected with a\r\nvariant of Gh0stRat malware, previously also named Gh0stCringe or CineregRATopen on a new tab. This RAT’s\r\nhttps://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html\r\nPage 5 of 9\n\ncode is based on leaked Gh0st RAT source code; however, its traffic encryption is customized and it added some\r\nnew features, like QQ number theft. The Gh0st RAT samples related to this campaign are obfuscated executable\r\nfiles, which decrypt the main payload in memory and execute its main export function named “Shellex.”\r\nFigure 10. The script showing the error message and redirect to the fake Flash installer\r\nFigure 11. The fake Flash installer download website\r\nAnalysis of the fake Flash installer\r\nAs described earlier, the XSS attack script redirects the victim to a fake Flash download site. Clicking on the\r\n“Install now” button downloads a .ZIP archive, which contains several legitimate files as well as a few malicious\r\nones, which are usually in form of DLL libraries. These libraries will be sideloaded when the legitimate\r\nexecutable gets executed.\r\nFigure 12. The package of downloaded Flash installer\r\nhttps://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html\r\nPage 6 of 9\n\nIn this example, AdobeAirFlashInstaller.exe (legitimate file) sideloads xerces-c_2_1_0.dll (patched legitimate\r\nfile), which then sideloads ulibs.dll (malicious file). Ulibs.dll loads Adob.dll, which is a ZIP archive. After\r\nextracting the content of the Adob.dll zip archive, two legitimate and signed executable files are present and\r\nexecuted, and a similar sideloading process happens once more.\r\nFigure 13. The package inside Adob.dll\r\nHere, svchost.exe (renamed legitimate and signed Launcher.exe file from Tencent) sideloads Utility.dll (patched\r\nlegitimate file). This patched file contains one new section called .newimp (new import), which adds a new import\r\nitem with a reference to the oplib.dll library. This oplib.dll library is then sideloaded.\r\nFigure 14. Oplib.dll side-loading\r\nThis new import was very likely added manually by using a utility called Stud_PE. This utility has a feature called\r\n“Import Adder,” while “.newimp” is the default name of a newly added section containing newly added imports.\r\nOplib.dll then loads a lib.DAT file from the windowsfiles directory, decodes and decrypts its contents (from a\r\nhexadecimal string; XOR 0x42), and loads it into the newly created svchost.exe process. In addition, persistence\r\nvia registry keys and Scheduled Tasks are configured.\r\nFigure 15. XOR routine and svchost injection\r\nAt the end, the last payload of this infection chain is a variant of a Gh0st RAT. Communication with C\u0026C uses\r\nsockets and is encrypted with simple SUB 0x46, XOR 0x19 encryption.\r\nFigure 16. XOR routine that encrypts C\u0026C communication\r\nhttps://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html\r\nPage 7 of 9\n\nFigure 17. A packetFlag “xy” was found inside this Gh0st RAT variant\r\nThis Gh0st RAT variant implements additional features for stealing QQ messenger user information, for example,\r\na list of users on a given machine and their QQ messenger numbers.\r\nThe code below obtains QQ numbers that are currently logged on the machine, mentioned hereopen on a new tab.\r\nFigure 18. The code used to obtain user QQ numbers\r\nProtecting e-commerce platforms from Water Pamola’s attacks\r\nWater Pamola attacked online merchants with an XSS script appended onto online shopping orders. They also\r\nperpetrated social engineering attacks to phish credentials or prompt the download of a remote access tool. Online\r\nshop administrators should be aware that potential attacks may come not only from spam but also from different\r\n— and unexpected — infection vectors. We also recommend that administrators keep the versions of any e-commerce platforms in use by their websites up to date to prevent any potential vulnerabilities, including XSS\r\nattacks.\r\nOrganizations can benefit from having Trend Micro™ endpoint solutions such as Trend Micro Smart Protection\r\nSuitesproducts and Worry-Free™ Business Securityworry free services suites. These can protect users and\r\nhttps://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html\r\nPage 8 of 9\n\nbusinesses from threats by detecting malicious files and spammed messages as well as blocking all related\r\nmalicious URLs. \r\nIndicators of compromise can be found in this appendix.\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html\r\nhttps://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html"
	],
	"report_names": [
		"water-pamola-attacked-online-shops-via-malicious-orders.html"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434888,
	"ts_updated_at": 1775791451,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/531c19e274be634c24a91885b2de098576169425.pdf",
		"text": "https://archive.orkl.eu/531c19e274be634c24a91885b2de098576169425.txt",
		"img": "https://archive.orkl.eu/531c19e274be634c24a91885b2de098576169425.jpg"
	}
}