Analysis of Meyhod JavaScript Web Skimmers

 

A new web skimmer, dubbed Meyhod, has been disclosed by RiskIQ. The malware (named after a typo in the code) appeared in October on several e-commerce sites, including the hair treatment company Bosley and the Chicago Architecture Center (CAC).

While investigating the attacker's domain (jquerycloud[.]com) a bit further and other potential victims from this campaign were uncovered some months ago. This includes Doves Farm UK, The Fruit Company, Customer Earth Promos, and - due to the file names - potentially iCanvas or TFC:

Active compromise of dovesfarm.co.uk:


Skimmer 1: Identifier - sClass="yeikyd" - 'dovesfarm.js' (available here)

Skimmer 2: Identifier - sClass="frydbt" - 'icanvas.js' (available here)


Skimmer 3: Identifier - sClass="bfiyad" - 'tfc.js' (available here)


Skimmer 1 - Listener:


Skimmer 2 and 3 - Listener:


Skimmed Data:

RC4 encryption:

Data collected:

  • Credit Card Number, Card Holder Name, CVV, expiry day, month and year, billing address, company name, email address, phone number, and location details.


The skimmed data is encoded using custom functions before it is sent off to the attacker-owned server by an AJAX POST request.


As noted by RiskIQ, so far, the malware has not been attributed to any known Magecart group. None of its domain infrastructure, hosted with Alibaba, overlaps with other known groups.




Checking the host for the attacker's domain uncovered that it shared IPs with another underground fraud site called 'carderbazar[.]net' which was down at the time of writing:



My Previous Blog on the analysis of a campaign and a deep-dive into the Magecart Collective can be found here and here.


Indicators of Compromise (IOCs):


c7571bd3ecdafc2a770d00b7ebc01dc58ed923c1ce685d14d6dfe9bb9cb86072

3f58769e2a573de7b265c6c11619be07d92ed1d37ca44c69083940d070a5b883

ba14026fe5eb0782684e0efdcf7df1f3f2f781d32855571ad10e1561e2f28a63

8.211.0.55

47.254.169.212

jquerycloud[.]com

carderbazar[.]net


References:

https://urlscan.io/result/fa70940d-2bf0-43db-b3d6-67ed91323b36/content/

https://urlscan.io/result/3f98656d-9e49-408f-b370-2acf588d98a3/content/

https://urlscan.io/result/932eb96f-a9ee-438e-9c97-d4ff54668fdf/content/

https://www.riskiq.com/blog/labs/magecart-meyhod-skimmer/

https://community.riskiq.com/article/14924d61

https://github.com/BushidoUK/Meyhod-Skimmers

https://app.any.run/tasks/4c671d18-334f-4023-b976-da8ed0c390d6/

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Lessons from the iSOON Leaks

The Ransomware Tool Matrix