From en.secnews.gr
According to Sansec, the attack was revealed late last month, when their detector discovered 374 infections on the same day, all of which using the same malware.
The domain from which the malicious users downloaded the malware is naturalfreshmall [.] com, currently offline and their goal was to steal customers’ credit card information at targeted online stores.
Subsequent Sansec investigation revealed that the intruders abused a known vulnerability in adding Quickview, to gain Magento administrator privileges, which could then execute code with the highest privileges.
Abuse occurs by adding a validation rule to the tableĀ customer_eav_attribute. This tricks the host application into creating a malicious object, which is then used to create a simple backdoor (api_1.php).