Analysis of a recent Magecart campaign

-

 On 13 March, SanSec disclosed a new Magecart domain used to host malicious JavaScript (.js) files that can collect credit card information from ecommerce site checkout pages. The site (jquerycdn[.]at) that hosted the scripts was present on at least 299 different victim stores. The most commonly attacked platform is Magento 1 ecommerce platform. Notably, support for Magento 1 ended on 30 June 2020, meaning that it will no longer receive security updates.

How does the web skimmer work?

“Web skimmers are loaded on the checkout page of a typical store. It lives in the browser of an unsuspecting online customer. Whenever he or she enters her payment information, the private data is siphoned off to an offshore server. Usually, this data is then sold on the dark web within 2-10 weeks.” - SanSec. 


In this blog, I analysed the JavaScript Skimmers connected to jquerycdn[.]at in an ongoing campaign


knockout-fast-foreach.js

46fa357596e58272e6e2865c8b80bb96eb910c577267ce64bcada714c8eefdff



jquery.storageapi.min.js

20ef8044ce87142087cc996cf38c9476df5a95211a9aa03982bd2f17b789de62



Search for the presence of the jquery.storageapi.min.js Skimmer on sites via URLscan here.


jquery.bah-hashchange.min.js

082aa05bdc4869e4c7d40046c0a3ce7861fbfa89356ff714f1514a8e6775e460



Search for the presence of the jquery.bah-hashchange.min.js Skimmer on sites via URLscan here.



These JavaScript Skimmers use the function 'GetCCInfo' to collect the online shopper's credit card number, CVV number, card holder first and last name, smd the expiration date. The 'SaveParam' function collects the firstname, lastname, home address, and telephone number. All the data is then encoded with base64 and exfiltrated to jquerycdn[.]at/gate.php.

Although this campaign was detected back in March 2020, the site remains online and is hosted with AS47510 [Crex Fex Pex ISS, RU]. Additionally it appears the JS Skimmer continues to be injected onto ecommerce site’s checkout pages:





Indicators of Compromise (IOCs):

jquerycdn[.]at

jquerye[.]at

217.8.117.75

46fa357596e58272e6e2865c8b80bb96eb910c577267ce64bcada714c8eefdff

20ef8044ce87142087cc996cf38c9476df5a95211a9aa03982bd2f17b789de62

082aa05bdc4869e4c7d40046c0a3ce7861fbfa89356ff714f1514a8e6775e460

15dde9cb53a519b8c61edf29d758bc8c8ce52a778d2a3123e9fd3c93fef9c531


References: 

https://sansec.io/malware/jquerycdn.at 

https://twitter.com/felixaime/status/1258800483524804608

https://magento.com/blog/magento-news/support-magento-1-software-ends-june-30-2020


My Previous Blog titled “Deep-dive: The Magecart Collective” can be found here.


I want to extend my gratitude to @0xDISREL for helping me with research into these attacks. They provided useful insights into analysis of the JavaScript code. Give them a follow!

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on
Read more