{"id":19393,"date":"2022-06-20T14:10:09","date_gmt":"2022-06-20T22:10:09","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/06\/20\/news-13126\/"},"modified":"2022-06-20T14:10:09","modified_gmt":"2022-06-20T22:10:09","slug":"news-13126","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/06\/20\/news-13126\/","title":{"rendered":"Client-side Magecart attacks still around, but more covert"},"content":{"rendered":"

Credit to Author: Threat Intelligence Team| Date: Mon, 20 Jun 2022 21:21:04 +0000<\/strong><\/p>\n

This blog post was authored by J\u00e9r\u00f4me Segura<\/em><\/p>\n

We have seen and heard less buzz about ‘Magecart’ during the past several months. While some companies continue to rehash the same breaches of yesteryear, we have been wondering if some changes took place in the threat landscape.<\/p>\n

One thing we know is that if the Magecart threat actors decided to switch their operations exclusively server-side then the majority of companies, including ours, would lose visibility overnight. This is why we often look up to researchers that work the website cleanups. If something happens, these guys would likely notice it.<\/p>\n

We followed the trail on two recent reports that proved to be worthwhile. It allowed us to make a connection to a previous campaign and identify new pieces of a pretty wide infrastructure.<\/p>\n

For now we can say that Magecart client-side attacks are still around and that we could easily be missing them if we rely on automated crawlers and sandboxes, at least if we don’t make them more robust.<\/p>\n

Newly reported domains linked with ‘anti-VM’ skimmer<\/h2>\n

On June 12, @rootprivilege tweeted<\/a> about a hacked stored injected with the host js.staticounter[.]net that looked highly suspicious. When originally captured, the JavaScript appeared to be clean but it was confirmed to be malicious by @AffableKraut who posted<\/a> a screenshot of the skimmer code<\/a>.<\/p>\n

A few days before @rootprivilege posted about this skimmer, @Sansec tweeted<\/a> about another new skimmer domain at scanalytic[.]org. Comparing the two which are both on the same ASN (AS29182), we concluded that they are related.<\/p>\n

\n
\"\"<\/a><\/figure>\n<\/div>\n

We were able to connect these 2 domains with a previous campaign from November 2021 which was the first instance to our knowledge of a skimmer checking for the use of virtual machines<\/a>. However, both of them are now devoid of VM detection code. It’s unclear why the threat actors removed it, unless perhaps it caused more issues than benefits.<\/p>\n

\n
\"\"<\/a><\/figure>\n<\/div>\n

There are other differences with the newest skimmer sample from @rootsecdev such as different naming schemes for important input fields. As you can see, in the former case these are explicitly referenced (i.e. CcNumber) while in the later iteration the names are generic web terms, making them less obvious.<\/p>\n

\n
\"\"<\/a><\/figure>\n<\/div>\n

Additional infrastructure<\/h2>\n

Using the urlscan.io service, we were able to discover additional infrastructure related to this ongoing campaign. We started our search with any recent submissions that made contact with an IP address belonging to AS29182.<\/p>\n

The table below shows hostnames, their IP address and the date they were first seen on urlscan.io. Most of those were previously unknown to us until we recently started this investigation. You can click on the hyperlinks to load the corresponding sandbox pages, but note that a majority of them do not contain the actual skimmer code. This is most likely because the malicious infrastructure detected that urlscan.io’s sandbox was not using genuine residential IP addresses.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n
Hostname<\/strong><\/td>\nIP address<\/strong><\/td>\nFirst seen<\/strong><\/td>\n<\/tr>\n
app[.]nomalert[.]org<\/a><\/td>\n185.253.32.64<\/a><\/td>\nNov 30, 2021<\/a><\/td>\n<\/tr>\n
cdn[.]base-code[.]org<\/a><\/td>\n185.253.32.59<\/a><\/td>\nJan 30, 2022<\/a><\/td>\n<\/tr>\n
web[.]dwin-co[.]jp<\/a><\/td>\n185.253.32.44<\/a><\/td>\nFeb 3, 2022<\/a><\/td>\n<\/tr>\n
dwin1[.]org<\/a><\/td>\n185.253.33.40<\/a><\/td>\nFeb 22, 2022<\/a><\/td>\n<\/tr>\n
trustedport[.]org<\/a><\/td>\n185.253.32.50<\/a><\/td>\nMarch 4, 2022<\/a><\/td>\n<\/tr>\n
h[.]lookmind[.]net<\/a><\/td>\n185.253.32.42<\/a><\/td>\nMarch 17, 2022<\/a><\/td>\n<\/tr>\n
web[.]speedstester[.]com<\/a><\/td>\n185.253.33.191<\/a><\/td>\nMarch 25, 2022<\/a><\/td>\n<\/tr>\n
search[.]global-search[.]net<\/a><\/td>\n185.253.33.188<\/a><\/td>\nApril 13, 2022<\/a><\/td>\n<\/tr>\n
static[.]clarlity[.]com<\/a><\/td>\n185.253.33.179<\/a><\/td>\nApril 20, 2022<\/a><\/td>\n<\/tr>\n
static[.]newrelc[.]net<\/a><\/td>\n185.63.190.207<\/a><\/td>\nApril 22, 2022<\/a><\/td>\n<\/tr>\n
static[.]druapps[.]org<\/a><\/td>\n185.63.190.183<\/a><\/td>\nMay 26, 2022<\/a><\/td>\n<\/tr>\n
js[.]imagero[.]org<\/a><\/td>\n185.63.190.144<\/a><\/td>\nMay 27, 2022<\/a><\/td>\n<\/tr>\n
common[.]quatserve[.]com<\/a><\/td>\n185.63.190.118<\/a><\/td>\nMay 30, 2022<\/a><\/td>\n<\/tr>\n
static[.]lookmetric[.]com<\/a><\/td>\n185.63.190.163<\/a><\/td>\nJune 3, 2022<\/a><\/td>\n<\/tr>\n
cdn[.]boxsearch[.]org<\/a><\/td>\n185.63.190.205<\/a><\/td>\nJune 11, 2022<\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

Validating skimmer activity<\/h2>\n

For the domains that are still responding, we can use information collected by urlscan.io and replay the attack using a genuine residential IP address and mimicking a real shopper’s experience. The image below shows the difference between a crawler session via VPN and one done manually with real network settings.<\/p>\n

\n
\"\"<\/a><\/figure>\n<\/div>\n

This allows us to confirm beyond doubt that the domains are indeed malicious, although their ASN should already be enough to proactively block them.<\/p>\n

Connection with previous skimmer activity<\/h2>\n

Based on one hash<\/a>, we can connect these skimmers to past activity going back to at least May 2020<\/a>. One of the hostnames from our previous blog on the anti-vm skimmer, con[.]digital-speed[.]net, was loading<\/a> this resource as well. <\/p>\n

\n
\"\"<\/a><\/figure>\n<\/div>\n

We can see 3 different themes used by the threat actor to hide their skimmer, named after JavaScript libraries:<\/p>\n