Pierluigi Paganini November 07, 2021

A new Magecart group leverages a browser script to evade virtualized environments and sandboxes used by researchers.

Malwarebytes researchers have spotted a new Magecart group that uses a browser script to evade detection and the execution in virtualized environments used by security researchers for threat analysis. Hacker groups under the Magecart umbrella continue to target e-stores to steal payment card data with software skimmers. 

While malware developers often implement anti-vm features and check for registry keys and other info indicating the presence of VMware or Virtual Box, rarely do experts observe the detection of virtualized environments via the browser for web threats.

The Malwarebytes researchers uncovered threat actors that add an extra browser process that uses the WebGL JavaScript API to gather information about the user’s machine and avoid the execution in a VM.

The process identifies the graphics renderer and returns its name. Experts pointed out that for many Virtual Machines the graphics card driver will be a software renderer fallback from the hardware (GPU) renderer. In other cases, the graphics card could be supported by the virtualization software that anyway can be identified by its name.

“We notice that the skimmer is checking for the presence of the words swiftshader, llvmpipe and virtualbox. Google Chrome uses SwiftShader while Firefox relies on llvmpipe as its renderer fallback.” wrote Jérôme Segura, Malwarebytes Head of Threat Intelligence. “By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer.”

The presence of the words swiftshader, llvmpipe and virtualbox is associated with the execution inside a VM. Upon executing the script in a real machine, the software skimmer will scrape a number of fields, including the customer’s name, address, email, and phone number as well as their credit card data.

The software skimmer also collects passwords for online stores on which the victim has registered an account, the browser’s user-agent, and a unique user ID. Data are encoded and sent through a single POST request to the same server hosting the skimmer.

The analysis published by Malwarebytes includes indicators of compromise (IoCs) along with the source code of the software skimmer used in the attack.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Magecart)

[adrotate banner=”5″]

[adrotate banner=”13″]