Annoyed as hell with a certain company's abuse department, so let's examine one of these #magecart / digital skimming loader techniques. The goal here will be to figure out what script it's trying to load. A thread, or something 1/13

Here's a common technique from a group. They try to make it look like something for Google Analytics, but it's clearly not. So what is it doing?

gist.github.com/krautface/5228…

First, you'll notice some weird variable names: showArticle, textAside, openReader, firstDescription. 2/13

There's no meaning behind them, they're pretty random and are frequently changed. Pay little attention to them.

Let's clean up the code a little bit and see what's actually going on here. 3/13

gist.github.com/krautface/4ea5…

First, it really tries to fake that it's adding the Google Analytics script to the page, with those ga and _gaq references, but they're doing literally nothing. The action starts on line 32.

Throw a debugger; on line 32 or 33 and then drop the code in devtools and run it. 4/13

Step through it using F10 and see what's happening.

The addClass function is doing some XOR work with the second argument ('kpwajqjds1e'):
r += String.fromCharCode(x ^ String(k[j]).charCodeAt())

As you step through the code you get a little more clarity. 5/13

attrSolution: "createElement"
textAside: "setAttribute"
propTable: "/checkout/" // this will be whatever URL path your browser is on
veryLeft: "indexOf"
openReader: "src"
firstDescription: head (as in the DOM object)
positionSkin: appendChild

6/13

As a side note, @GroupIB_GIB , who has done some good writeups on this stuff, calls sort of similar obfuscation techniques CoffeMoko v1 and v2. These may or may not be related, but read their stuff here if you're bored: group-ib.com/blog/coffemokko

7/13

So now we have some variables, what are they going to be used for?

The next thing is a for loop, that iterates through the pickSidebar array, which is another collection of obfuscated strings. 8/13

Add a Watch Expression of the following:
addClass(pickSidebar[i], 'kpwajqjds1e')

Now step through the loop, see what it's looking for? onestepcheckout, checkout, onepage, onestep, firecheckout, securecheckout, idecheckoutvm, oscheckout, pagamento, odeme, and fechar-compra 9/13

If it finds any of those values in the URL path, which its holding in the propTable variable, it loads its payload. Now, that's all great and whatnot, but how about we just get past all of this and find what we're looking for: the URL of the script it's trying to load. 10/13

This third code sample shows how to do it:

gist.github.com/krautface/73bb…

Basically we're just removing any checks on the URL path, and then commenting out the code that adds the code to the page. That for loop is weird because they didn't throw some { } around the body of it 11/13

We comment out "firstDescription[positionSkin](showArticle)" because that's really "head['appendChild'](<mal script>)". Looking at the output of the console.log we see the answer we've been looking for:

hxxps://jqueryes[.]com/js/lib/jquery-1.10.2.min.js

12/13

Going directly to that URL will reveal nothing, because the server is setup to only serve its digital skimmer with a proper referrer. If you're curious it's the same advanced digital skimming code written about by @gwillem here: sansec.io/labs/2019/04/2…

Fin.