E-commerce under attack — Nginx web-shell campaign

In recent days we observed a series of attacks targeting e-commerce platforms running the Nginx web server.

Researchers identified, during an investigation into a CronRAT malware compromise, the execution of a previously undocumented malware family — NginRAT — which evades the leading security solutions by injecting its own code into legitimate Nginx worker processes (T1055.012 — Process Hollowing / Process Injection):

NginRAT and CronRAT are remote-access malware designed to provide persistent control of the compromised server, with the operational objective of interacting with the e-commerce backend and exfiltrating payment-form data.

The campaign is attributed with high confidence to Magecart — an umbrella designation covering dozens of subgroups specialised in digital payment-card theft. The technique observed is web skimming: a software vulnerability is exploited to access the source code of an online portal, where malicious JavaScript is injected to harvest cardholder data submitted at checkout (T1059.007 — Command and Scripting Interpreter: JavaScript).

During the attack, CronRAT communicates with a command-and-control server at 47.115.46[.]167. Following several staged installation phases, NginRAT is deployed and beacons to the same C2. NginRAT is engineered for long-haul persistence — it can remain dormant, awaiting commands, for entire weeks. Because the malware hides inside a legitimate Nginx process, host-based detection requires inspection of process memory and parent–child process trees rather than file-system scanning alone — the kind of telemetry-driven hunting performed by our Managed Detection and Response.

Process-injection malware that lives inside a signed, expected service binary is the operational answer to AV signature detection — defenders that rely solely on disk-resident IOCs will miss it.