The malicious actor behind a year-old campaign targeting the web payment portal Click2Gov appears to have been using a malicious webshell, data mining utility program and network sniffer to steal information from users, according to a new report from FireEye researchers.

The researchers note that while the perpetrator’s tools and techniques are “generally consistent with other financially motivated attack groups,” this particular actor has “demonstrated ingenuity in crafting malware exploiting Click2Gov installations, achieving moderate success.”

Originally a product of software company Superion, which was recently acquired by CentralSquare Technologies, Click2Gov is a portal used by government entities to accept payments for permits, licenses, fines and utilities. In October 2017, the company disclosed the discovery of suspicious activity indicative of a breach, and by June 2018 it was widely reported that tens of thousands of local government customers across the country had their information exposed.

In their report, FireEye researchers explain that the attacker likely exploited one or several Oracle Web Logic vulnerabilities to compromise Click2Gov webservers, allowing them at that point to upload a variant of the publicly available SJavaWebManage a webshell to achieve persistence, interact with infected hosts and execute commands.

The variant deviated from the original version in that it had, among other changes, different variable names (possibly to hinder detection), Chinese characters that were altered to English, and the added ability to manipulate timestamps on the server.

For the next step, FireEye reports, the attacker would “restart a module in DEBUG mode using the SJavaWebManage CMDS page after editing a Click2Gov XML configuration file,” causing the Click2Gov module to log payment card data in plain text to its log files. At this point, the actor would use the webshell to upload and execute a command line data mining utility nicknamed “FIREALARM,” which parses the plain-text logs to retrieve payment card data, format it, and print it to the console.

Additionally, the actors would upload “SPOTLIGHT,” a network sniffer that improves persistence and data collection, “ensuring the mined data would not be lost if Click2GovCX log files were deleted by an administrator,” the blog post continues.

Although FireEye is unable to connect the attacker with any known threat groups that have similar motives, researchers believe the campaign is likely the work of a team of individuals who “will continue to conduct interactive and financially motivated attacks.”

To counter this threat, FireEye recommends that Click2Gov customers exercise diligent patch management, implement a file integrity monitoring solution for e-commerce webservers, and ensure that web service accounts run at least privilege.