Threat actors have been observed using swap files on compromised websites to hide persistent credit card skimmers and collect payment information.
According to Sucuri, the clever technique, which Sucuri spotted on the checkout pages of Magento e-commerce sites, allowed the malware to survive multiple cleanup attempts.
The skimmer is designed to capture all data from credit card forms on the website and exfiltrate the details to an attacker-controlled domain called “amazon-analytic(.)com,” which was registered in February 2024.
“Note the use of brand names; this tactic of leveraging popular products or services in domain names is often used by bad actors to evade detection,” said security researcher Matt Morrow.
This is just one of many defense evasion methods used by threat actors, which include using a swap file (“bootstrap.php-swapme”) to load malicious code while leaving the original file (“bootstrap.php”) intact and malware-free.
“When you edit a file directly over SSH, the server creates a temporary ‘swap’ version in case your editor crashes, preventing you from losing your entire content,” Morrow explained.
“It became clear that attackers were using swap files to persist malware on servers and evade normal detection methods.”
It is currently unknown how initial access was gained in this case, but it is suspected to have been via SSH or other terminal sessions.
This information was made public because compromised admin user accounts on WordPress sites are being used to install a malicious plugin masquerading as the legitimate Wordfence plugin, which has the ability to create a rogue admin user and disable Wordfence, giving the false impression that everything is working as expected.
“While a website would have had to already be compromised for the malicious plugin to be installed in the first place, this malware can certainly act as a vector for re-infection,” said security researcher Ben Martin.
“The malicious code only works on pages in the WordPress admin interface that contain the word “Wordfence” in the URL (the Wordfence plugin settings page).”
Site owners are advised to restrict the use of common protocols such as FTP, sFTP and SSH to trusted IP addresses and ensure that their content management systems and plugins are up to date.
Users are also encouraged to enable Two-Factor Authentication (2FA), use a firewall to block bots, and enforce additional wp-config.php security implementations such as DISALLOW_FILE_EDIT and DISALLOW_FILE_MODS.
