A web skimming group inadvertently leaked a list of 41 previously hacked online stores. The list was found by Sansec researchers while examining a dropper used to deploy a stealthy Remote Access Trojan designed to provide a long-term access to eCommerce sites to steal customers’ personal and financial information.

The RAT was delivered as a 64bit ELF executable that hides in the server’s process and masquerades as the DNS or SSH server daemon as to not raise suspicions. According to the researchers, the malware stays in sleep mode almost all day, waking up only once in the morning at 7am when it attempts to connect to its command and control server to request instructions.

“The dropper is designed to parse many different Magento deployment setups. Second, the PHP code seems to be written by someone unfamiliar with PHP. It uses shared memory blocks, which is rarely used in PHP but is much more common in C programs,” the researchers said.

Sansec has found several similar RATs on different systems compiled on different Red Hat and Ubuntu Linux systems suggesting involvement of multiple people in this campaign, or that cybercriminals possibly obtained the RAT source code from public sources or bought it on dark web markets.

The researchers said they reached out to owners of compromised online stores to inform them their servers were hijacked.