Malware Analysis and Reverse Engineering: Analysing Magecart Skimmer

Malware Analysis and Reverse Engineering: Analysing Magecart Skimmer

December 16, 2020
Green Alert
Last Update posted on
February 3, 2024
Beyond Monitoring: Predictive Digital Risk Protection with CloudSEK

Protect your organization from external threats like data leaks, brand threats, dark web originated threats and more. Schedule a demo today!

Schedule a Demo
Table of Contents
Author(s)
No items found.

 

Attacks that involve malware are one of the most prevalent threats on the internet. Malware is a malicious piece of code that infiltrates a computer and disrupts operations. Attackers develop malicious software and tailor them to serve specific purposes such as key logging, hijacking, phishing, etc., while targeting businesses or individuals across various sectors. Gathering insights into the properties and traits of such malware can help mitigate security threats to organizations and improve its security posture.

 

MA&RE : The Race Horse of Threat Intelligence

Malware Analysis and Reverse Engineering (MA&RE) allows incident responders to extract threat intelligence from malware samples to obtain information regarding the malware and the threat group responsible. MA&RE will help us detect, under layers of obfuscation created by actors to throw researchers off their tracks, the logic behind the malware by analysing the actual working code written by the threat actor themselves.

The following threat intelligence can be obtained with the help of MA&RE:

  • Indicators of Compromise (IoCs): URLs/ Domains/ C2-IP
  • Evasion techniques
  • Infecting mechanisms
  • Use of zero-day exploits/ vulnerabilities
  • Lateral movement and compromise

In this post, we explore the process of Malware Analysis and Reverse Engineering (MA&RE) by analysing Magecart’s skimming malware.

 

The Rise of Magecart 

Magecart is a hacking group that targets shopping cart tools and systems to steal payment information from customers. Shopping carts are easy targets for skimming attacks as it is quite convenient for threat actors to compromise these payment pages and siphon payment (card) details and other sensitive information from users. 

A web skimmer is a malware written in JavaScript that attackers leverage by injecting them onto targeted websites to: 

  • Compromise the website or the web-server itself through:
    • Brute force login attempts 
    • Phishing attacks
    • Social engineering
    • Exploiting known software vulnerabilities
  • Carry out supply chain attacks and compromise third-party tools that the website uses: Since third-party tools have several clients, compromising one such tool would mean that all the websites using this tool can be compromised. For instance, if a threat actor compromises a third-party eCommerce platform like Magento, the thousands of retailers that engage in business with them are also exposed to an attack. 

 

Magecart’s Modus Operandi

Client-side web skimming attacks are launched by the unsuspecting victims themselves. Once the attacker gains access to the website and places Magecart’s skimming code in it, the code searches for a checkout page and adds listeners to the submit button of the payment form. Then, when the customer clicks the submit button to send their card details and other information to initiate the payment, the malcode skims the entered data and sends it directly to the attacker’s server. 

Magecart attackers use different ways and methods to spread the infection and to prevent detection. Some of the techniques used to achieve this is by encrypting the content of the code, such as strings, using Base64 algorithm, and also by obfuscating the malicious code before publishing it.

Once the attackers bypass security systems and successfully skim the payment page:

  • They then sell the stolen cards on dark web marketplaces or
  •  Use the compromised cards to carry out other fraudulent schemes.

 

Dissecting a Skimmer 

In this section we explore how to analyse a skimmer malware with Magecart malware as our sample.

Firstly, the malicious code is injected onto a legitimate paying form and once the page is loaded and the client initiates interaction, the code is activated on the client’s side. The code is usually obfuscated to avoid detection.

1. The first layer of the Magecart pattern holds a set of dataTokens which contains all the strings related to the code implementation. In some cases the data will be encoded using the Base64 algorithm.

Image1 - encoded dataTokens MA&RE
Image1 – Encoded dataTokens

Magecart uses heavy obfuscation techniques to hide the skimmer malware. To accomplish this, the items in the array are shifted 5 times, rotating these elements to the right. This process also enables the malicious code.

Image2 - shifting function for the dataToken array
Image2 – Shifting function for the dataToken array

2. Once the array is shifted, the dataToken is decrypted to get the original data. The code uses the dtoa() function to modify the data decoded by the Base64 algorithm to plain text.

MA&RE Image3 - decoding function
Image3 – Decoding function

 

MA&RE Image4 - decoded dataTokens
Image4 – Decoded dataTokens

In Image4 we can see the decoded dataToken.

 

3. The final layer of Magecart’s malicious code serves two functions. Its first function is to search for html tags that hold specific ID values or class values, in which the data is entered. One of the targeted tags is ‘buttons’, to which the malicious code adds an event listener. And once the customer clicks on the button, the listener captures all the card details entered on the page. Image5 depicts this function.

MA&RE Image5 - Ready function
Image5 – Ready function

The second function is responsible for dumping credit card details, which usually includes card number, CVV, and card holder’s first name and last name. Image6 shows the list of information that the malicious code extracts or skims.

MA&RE Image6 - The list of data to be skimmed
Image6 – The list of data to be skimmed

After extracting the data, it is saved in local storage, and is then converted to JSON string and sent to the attacker.

Image7 - encrypting the data section
Image7 – Encrypting the data section

However, before sending the data, it is encrypted using an asymmetric encryption algorithm with a hardcoded public key using the JSEncrypt() function. The encrypted data is then sent to the threat actor.

Image8 - The public key that encrypt the data
Image8 – The public key that encrypt the data


In this Magecart sample, the code is executed once the page is loaded. It activates the targeted button at first, followed by the data dump function.

Image9 - Sending data section
Image9 – Sending data section


Conclusion

Threat actors have different ways to conceal their existence and obfuscate the malicious code they use in their campaigns, rendering its detection almost impossible. This could allow supply chain attacks to skyrocket, targeting thousands of eCommerce platforms that subscribe to the same third-party. In the field of threat intelligence research, Malware Analysis and Reverse Engineering (MA&RE) enables researchers to analyse and record various sophisticated tactics employed by a malware, to form actionable intelligence which can be then used to fortify businesses and individuals from such offensives.

Author

Predict Cyber threats against your organization

Related Posts
Blog Image
February 3, 2024

From Discussion Forums to Malware Mayhem: The Alarming Rise of Abuse on Google Groups and Usenet

Explore the escalating wave of cyber threats on platforms like Google Groups and Usenet, uncovering the pivotal role of cybersecurity in safeguarding online discussion forums.

Redirect Chain: Advertisement Services being Abused by Threat Actors to Redirect Users to Malware, Betting, Adult Websites

Threat actors have been abusing advertisement services to serve malware to users and redirect traffic to websites purchasing services from them.

Blog Image
December 29, 2023

Compromising Google Accounts: Malwares Exploiting Undocumented OAuth2 Functionality for session hijacking

A detailed blog on Analysis of the Global Malware Trend: Exploiting Undocumented OAuth2 Functionality to Regenerate Google Service Cookies Regardless of IP or Password Reset.

Join 10,000+ subscribers

Keep up with the latest news about strains of Malware, Phishing Lures,
Indicators of Compromise, and Data Leaks.

Take action now

Secure your organisation with our Award winning Products

CloudSEK Platform is a no-code platform that powers our products with predictive threat analytic capabilities.

Malware Intelligence

min read

Malware Analysis and Reverse Engineering: Analysing Magecart Skimmer

Malware Analysis and Reverse Engineering: Analysing Magecart Skimmer

Authors
Co-Authors
No items found.

 

Attacks that involve malware are one of the most prevalent threats on the internet. Malware is a malicious piece of code that infiltrates a computer and disrupts operations. Attackers develop malicious software and tailor them to serve specific purposes such as key logging, hijacking, phishing, etc., while targeting businesses or individuals across various sectors. Gathering insights into the properties and traits of such malware can help mitigate security threats to organizations and improve its security posture.

 

MA&RE : The Race Horse of Threat Intelligence

Malware Analysis and Reverse Engineering (MA&RE) allows incident responders to extract threat intelligence from malware samples to obtain information regarding the malware and the threat group responsible. MA&RE will help us detect, under layers of obfuscation created by actors to throw researchers off their tracks, the logic behind the malware by analysing the actual working code written by the threat actor themselves.

The following threat intelligence can be obtained with the help of MA&RE:

  • Indicators of Compromise (IoCs): URLs/ Domains/ C2-IP
  • Evasion techniques
  • Infecting mechanisms
  • Use of zero-day exploits/ vulnerabilities
  • Lateral movement and compromise

In this post, we explore the process of Malware Analysis and Reverse Engineering (MA&RE) by analysing Magecart’s skimming malware.

 

The Rise of Magecart 

Magecart is a hacking group that targets shopping cart tools and systems to steal payment information from customers. Shopping carts are easy targets for skimming attacks as it is quite convenient for threat actors to compromise these payment pages and siphon payment (card) details and other sensitive information from users. 

A web skimmer is a malware written in JavaScript that attackers leverage by injecting them onto targeted websites to: 

  • Compromise the website or the web-server itself through:
    • Brute force login attempts 
    • Phishing attacks
    • Social engineering
    • Exploiting known software vulnerabilities
  • Carry out supply chain attacks and compromise third-party tools that the website uses: Since third-party tools have several clients, compromising one such tool would mean that all the websites using this tool can be compromised. For instance, if a threat actor compromises a third-party eCommerce platform like Magento, the thousands of retailers that engage in business with them are also exposed to an attack. 

 

Magecart’s Modus Operandi

Client-side web skimming attacks are launched by the unsuspecting victims themselves. Once the attacker gains access to the website and places Magecart’s skimming code in it, the code searches for a checkout page and adds listeners to the submit button of the payment form. Then, when the customer clicks the submit button to send their card details and other information to initiate the payment, the malcode skims the entered data and sends it directly to the attacker’s server. 

Magecart attackers use different ways and methods to spread the infection and to prevent detection. Some of the techniques used to achieve this is by encrypting the content of the code, such as strings, using Base64 algorithm, and also by obfuscating the malicious code before publishing it.

Once the attackers bypass security systems and successfully skim the payment page:

  • They then sell the stolen cards on dark web marketplaces or
  •  Use the compromised cards to carry out other fraudulent schemes.

 

Dissecting a Skimmer 

In this section we explore how to analyse a skimmer malware with Magecart malware as our sample.

Firstly, the malicious code is injected onto a legitimate paying form and once the page is loaded and the client initiates interaction, the code is activated on the client’s side. The code is usually obfuscated to avoid detection.

1. The first layer of the Magecart pattern holds a set of dataTokens which contains all the strings related to the code implementation. In some cases the data will be encoded using the Base64 algorithm.

Image1 - encoded dataTokens MA&RE
Image1 – Encoded dataTokens

Magecart uses heavy obfuscation techniques to hide the skimmer malware. To accomplish this, the items in the array are shifted 5 times, rotating these elements to the right. This process also enables the malicious code.

Image2 - shifting function for the dataToken array
Image2 – Shifting function for the dataToken array

2. Once the array is shifted, the dataToken is decrypted to get the original data. The code uses the dtoa() function to modify the data decoded by the Base64 algorithm to plain text.

MA&RE Image3 - decoding function
Image3 – Decoding function

 

MA&RE Image4 - decoded dataTokens
Image4 – Decoded dataTokens

In Image4 we can see the decoded dataToken.

 

3. The final layer of Magecart’s malicious code serves two functions. Its first function is to search for html tags that hold specific ID values or class values, in which the data is entered. One of the targeted tags is ‘buttons’, to which the malicious code adds an event listener. And once the customer clicks on the button, the listener captures all the card details entered on the page. Image5 depicts this function.

MA&RE Image5 - Ready function
Image5 – Ready function

The second function is responsible for dumping credit card details, which usually includes card number, CVV, and card holder’s first name and last name. Image6 shows the list of information that the malicious code extracts or skims.

MA&RE Image6 - The list of data to be skimmed
Image6 – The list of data to be skimmed

After extracting the data, it is saved in local storage, and is then converted to JSON string and sent to the attacker.

Image7 - encrypting the data section
Image7 – Encrypting the data section

However, before sending the data, it is encrypted using an asymmetric encryption algorithm with a hardcoded public key using the JSEncrypt() function. The encrypted data is then sent to the threat actor.

Image8 - The public key that encrypt the data
Image8 – The public key that encrypt the data


In this Magecart sample, the code is executed once the page is loaded. It activates the targeted button at first, followed by the data dump function.

Image9 - Sending data section
Image9 – Sending data section


Conclusion

Threat actors have different ways to conceal their existence and obfuscate the malicious code they use in their campaigns, rendering its detection almost impossible. This could allow supply chain attacks to skyrocket, targeting thousands of eCommerce platforms that subscribe to the same third-party. In the field of threat intelligence research, Malware Analysis and Reverse Engineering (MA&RE) enables researchers to analyse and record various sophisticated tactics employed by a malware, to form actionable intelligence which can be then used to fortify businesses and individuals from such offensives.