Been looking at a digital skimmer/#magecart script I call "ManyQ" and figured I'd share what I've found.
Highlights: 200+ victims, in use since at least Feb 2020, and, most interesting, might be by Sochi, the creator of Inter.
1/30
Going to cover a fair amount of ground here:
- How it works
- Share some various copies of it
- Infrastructure it's been deployed on and related Infrastructure
- Connections to Inter
And, yeah, "ManyQ" isn't the greatest name, but naming things is hard.
2/30
Aug 28, 2020 • 12 tweets • 5 min read
Thanks to data from @sansecio I think we've found the first digital skimmer/#magecart script to exfil using Telegram. In this thread, I'll go through the code, the drawbacks of this approach, and how to stop it dead (hint: CSP).
1/11
This of course isn't the first digital skimmer to abuse unrelated services to exfil its data. For example, back in June we saw the public disclosure of digital skimmers abusing Google Analytics: sansec.io/research/skimm…
2/x
Feb 6, 2020 • 10 tweets • 3 min read
Saw this new digital skimmer/#magecart JS for the first time last week. Haven't had time to dig really deep into it, but here's the basic overview. Calling it the Callback skimmer for now. Above average JS for a digital skimmer.
1/9
As I said, this is going to be a quick overview. Here's the loader: gist.github.com/krautface/5a29…
2/9
Dec 26, 2019 • 6 tweets • 2 min read
New digital skimmer/#magecart technique: steganography
A colleague found this a couple of days ago while searching through our SIEM. The skimmer group uploads or modifies an existing image and appends the JS code.
1/5
Here's an example of a live image. You can load this image and prepend view-source: The next tweet has the code that loads and runs the code in this image. The full skimmer code is in a gist on the last tweet.
I think I stumbled upon a novel digital skimmer/#magecart script still in development and figured I'd share all the code and (limited) infrastructure I've found so far. And I'll share the simple method to stop this technique dead (tweet 16 😉)
First, what makes it unique?
1/17
- Malicious payload is loaded over websockets
- Exfil over websockets
- A rather clever skimmer loader that I think may fool a lot of people
- CSS classes(!) being used to construct the URL
Intrigued? Great. Let's go
2/x
Aug 27, 2019 • 12 tweets • 6 min read
Let’s do a quick dive into quickly pulling out the interesting bits from an obfuscated #magecart script. And by that I mostly mean the exfil URL. This will only cover one of the most common obfuscator types, as featured at javascriptobfuscator.com and obfuscator.io.
There’s lots of other types as well, but this is a good place to start. First, the simplest type, one with hex encoded strings. You can play with that one here: gist.github.com/krautface/aed4…
Aug 2, 2019 • 37 tweets • 13 min read
Want to learn to hunt for some #magecart infrastructure? Then you've come to the right place. Going to walk you through how to do it, from the very start to the end. /thread (probably 30-35 tweets, so hope you're interested)
Just found a couple of domains that I haven't seen elsewhere, so if you stick through to the end you'll get to see newly discovered infrastructure. If you somehow knew of it already, let's talk, I'd be curious how you came upon them.
2/x
Jun 10, 2019 • 10 tweets • 3 min read
A week or so ago I broke down one #magecart loader, which was pretending to be Google Analytics -
Today, let's look at another version of this they use which purports to be Google Tag Manager. Most of this will look pretty similar to the GA version.
So here's the code we'll be looking at as you would see it on an infected website: gist.github.com/krautface/e0f8…
and then here's the same thing prettified: gist.github.com/krautface/e8f0…
May 29, 2019 • 13 tweets • 4 min read
Annoyed as hell with a certain company's abuse department, so let's examine one of these #magecart / digital skimming loader techniques. The goal here will be to figure out what script it's trying to load. A thread, or something 1/13
Here's a common technique from a group. They try to make it look like something for Google Analytics, but it's clearly not. So what is it doing?