Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity
This blog post was authored by Jérôme Segura
Web skimming continues to be a real and impactful threat to online merchants and shoppers. The threat actors in this space greatly range in sophistication from amateurs all the way to nation state groups like Lazarus.
In terms of security, many e-commerce shops remain vulnerable because they have not upgraded their content management software (CMS) in years. The campaign we are looking at today is about a number of Magento 1 websites that have been compromised by a very active skimmer group.
We believe that Magecart Group 12, identified as being behind the Magento 1 hacking spree last fall, continues to distribute new malware that was observed by security researchers recently. These web shells known as Smilodon or Megalodon are used to dynamically load JavaScript skimming code via server-side requests into online stores. This technique is interesting as most client-side security tools will not be able to detect or block the skimmer.
Web shell hidden as favicon
While performing a crawl of Magento 1 websites, we detected a new piece of malware disguised as a favicon. The file named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper PNG format for a valid image file.
The way it is injected in compromised sites is by editing the shortcut icon tags with a path to the fake PNG file. Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell.
Web shells are a very popular type of malware encountered on websites that allow an attacker to maintain remote access and administration. They are typically uploaded onto a web server after exploitation of a vulnerability (i.e. SQL injection).
To better understand what it does, we can decode the reverse Base64 encoded blurb. We see that it is meant to retrieve data from an external host at zolo[.]pw.
Further looking into the m1_2021_force directory reveals additional code very specific to credit card skimming.
The data exfiltration part matches what researcher Denis @unmaskparasites had found back in March on WordPress sites (Smilodon malware) which also steals user credentials:
A similar PHP file (Mage.php) was reported by SanSec as well:
That same path/filename was previously mentioned by SanSec during the Magento 1 EOL hacking spree:
This hints that we are possibly looking at the same threat actors then and now, which we can confirm by looking at the infrastructure being used.
Magecart Group 12 again
Because we found the favicon webshells on Magento 1.x websites we thought there might be a tie with the hacking that took place last year when exploits for the Magento 1 branch (no longer maintained) were found. RiskIQ documented these compromises and linked them with Magecart Group 12 at the time.
The newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as recaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.
There is a lot of publicly documented material on the activities of Group 1 also known for their ‘ant and cockroach‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.
Dynamically loaded skimmer
There are a number of ways to load skimming code but the most common one is by calling an external JavaScript ressource. When a customer visits an online store, their browser will make a request to a domain hosting the skimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these skimmers using a domain/IP database approach.
In comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request to the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a database blocking approach would not work here unless all compromised stores were blacklisted, which is a catch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the DOM in real time and detect when malicious code has been loaded.
We continue to track this campaign and other activities from Magecart Group 12. Online merchants need to ensure their stores are up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers place in them. If you are shopping online it’s always good to exercize some vigilance and equip yourself with security tools such as our Malwarebytes web protection and Browser Guard.
References
https://blog.group-ib.com/btc_changer
WordPress "Smilodon" malware (decoded) that steals payment details and user credentials. Exfil domains redorn[.]space and predator[.]host. Found in the _vp_ai_ping_11669596 option in WP database
Thanks @_jamsec pic.twitter.com/KymKlVgywu— Denis (@unmaskparasites) March 13, 2021
Skimmer runs from app/Mage.php and fetches dynamic JS to insert after closing html tag.
Loader domain pathc[.]space@500mk500 @unmaskparasites @rootprivilege @xuy1202 pic.twitter.com/ICMsiBwC5x
— Sansec (@sansecio) March 4, 2021
Ants and cockroachs found in the web skimmer (injected into .js files) that sends stolen data to "autocapital[.pw/get.php". Works with forms both in English and Portuguese. pic.twitter.com/uwA1cpLyxi
— Denis (@unmaskparasites) March 3, 2020
https://community.riskiq.com/article/fda1f967
https://sansec.io/research/cardbleed
https://blog.malwarebytes.com/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/
Indicators of Compromise
facedook[.]host
pathc[.]space
predator[.]host
google-statik[.]pw
recaptcha-in[.]pw
sexrura[.]pw
zolo[.]pw
kermo[.]pw
psas[.]pw
pathc[.]space
predator[.]host
gooogletagmanager[.]online
imags[.]pw
y5[.]ms
autocapital[.]pw
myicons[.]net
qr202754[.]pw
thesun[.]pw
redorn[.]space
zeborn[.]pw
googletagmanagr[.]com
autocapital[.]pw
http[.]ps
xxx-club[.]pw
y5[.]ms
195[.]123[.]217[.]18
217[.]12[.]204[.]185
83[.]166[.]241[.]205
83[.]166[.]242[.]105
83[.]166[.]244[.]113
83[.]166[.]244[.]152
83[.]166[.]244[.]189
83[.]166[.]244[.]76
83[.]166[.]245[.]131
83[.]166[.]246[.]34
83[.]166[.]246[.]81
83[.]166[.]248[.]67
jamal.budunoff@yandex[.]ru
muhtarpashatashanov@yandex[.]ru
nikola-az@rambler[.]ru
The post Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity appeared first on Malwarebytes Labs.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.