{"id":4170,"date":"2021-12-06T14:36:35","date_gmt":"2021-12-06T14:36:35","guid":{"rendered":"https:\/\/fortgale.com\/news\/?p=4170"},"modified":"2026-06-08T14:54:08","modified_gmt":"2026-06-08T14:54:08","slug":"ecommerce-nginx-webshell-campaign","status":"publish","type":"post","link":"https:\/\/fortgale.com\/blog\/emerging-threats\/ecommerce-nginx-webshell-campaign\/","title":{"rendered":"E-commerce under attack \u2014 Nginx web-shell campaign"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">In <strong>recent days<\/strong> we observed a series of attacks targeting <strong>e-commerce platforms<\/strong> running the <strong>Nginx<\/strong> web server.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/sansec.io\/research\/nginrat\">Researchers<\/a> identified, during an investigation into a <strong>CronRAT<\/strong> malware compromise, the execution of a previously undocumented malware family \u2014 <strong>NginRAT<\/strong> \u2014 which evades the leading security solutions by injecting its own code into legitimate Nginx worker processes (<code>T1055.012<\/code> \u2014 Process Hollowing \/ Process Injection):<\/p>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img decoding=\"async\" width=\"726\" height=\"135\" src=\"https:\/\/fortgale.com\/news\/wp-content\/uploads\/sites\/2\/2021\/12\/image.png\" alt=\"\" class=\"wp-image-4171\" srcset=\"https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/image.png 726w, https:\/\/fortgale.com\/blog\/wp-content\/uploads\/sites\/2\/2021\/12\/image-300x56.png 300w\" sizes=\"(max-width: 726px) 100vw, 726px\" loading=\"lazy\" \/><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>NginRAT<\/strong> and <strong>CronRAT<\/strong> are remote-access malware designed to provide persistent control of the compromised server, with the operational objective of interacting with the e-commerce backend and exfiltrating payment-form data.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The campaign is attributed with high confidence to <a href=\"https:\/\/www.riskiq.com\/what-is-magecart\/\" rel=\"noreferrer noopener\" target=\"_blank\">Magecart<\/a> \u2014 an umbrella designation covering dozens of subgroups specialised in digital payment-card theft. The technique observed is <strong>web skimming<\/strong>: a software vulnerability is exploited to access the source code of an online portal, where malicious JavaScript is injected to harvest cardholder data submitted at checkout (<code>T1059.007<\/code> \u2014 Command and Scripting Interpreter: JavaScript).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">During the attack, <strong>CronRAT<\/strong> communicates with a command-and-control server at <code>47.115.46[.]167<\/code>. Following several staged installation phases, <strong>NginRAT<\/strong> is deployed and beacons to the same C2. NginRAT is engineered for long-haul persistence \u2014 it can remain dormant, awaiting commands, for entire weeks. Because the malware hides inside a legitimate Nginx process, host-based detection requires inspection of process memory and parent\u2013child process trees rather than file-system scanning alone \u2014 the kind of telemetry-driven hunting performed by our <a href=\"https:\/\/fortgale.com\/en\/managed-detection-and-response\/\">Managed Detection and Response<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Process-injection malware that lives inside a signed, expected service binary is the operational answer to AV signature detection \u2014 defenders that rely solely on disk-resident IOCs will miss it.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In recent days we observed a series of attacks targeting e-commerce platforms running the Nginx web server. Researchers identified, during an investigation into a CronRAT malware compromise, the execution of a previously undocumented malware family \u2014 NginRAT \u2014 which evades the leading security solutions by injecting its own code into legitimate Nginx worker processes (T1055.012 &#8230; <a title=\"E-commerce under attack \u2014 Nginx web-shell campaign\" class=\"read-more\" href=\"https:\/\/fortgale.com\/blog\/emerging-threats\/ecommerce-nginx-webshell-campaign\/\" aria-label=\"Read more about E-commerce under attack \u2014 Nginx web-shell campaign\">Read more<\/a><\/p>\n","protected":false},"author":7,"featured_media":4171,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[1559,1561,1563,1565,1567,1569,1571],"class_list":["post-4170","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emerging-threats","tag-china-it","tag-cronrat-it","tag-e-commerce-it","tag-ecommerce-it","tag-nginrat-it","tag-nginx-it","tag-web-skimmer-it"],"_links":{"self":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4170","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/comments?post=4170"}],"version-history":[{"count":5,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4170\/revisions"}],"predecessor-version":[{"id":9815,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/posts\/4170\/revisions\/9815"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media\/4171"}],"wp:attachment":[{"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/media?parent=4170"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/categories?post=4170"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/fortgale.com\/blog\/wp-json\/wp\/v2\/tags?post=4170"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}