Researchers at Malwarebytes have discovered a new Magecart group that uses a browser script to avoid detection and execution in virtualized environments used by security researchers for threat analysis. Magecart-affiliated hacker groups continue to attack e-commerce sites in order to steal payment card data using software skimmers.
The new campaign was discovered by the Malwarebytes team, which adds an extra browser process that uses the WebGL JavaScript API to check a user’s machine to ensure it isn’t running on a VM, researchers showed in a blog post published Wednesday.
Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in a post, “By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer.” Security researchers are constantly looking for new and creative ways to avoid being caught because their activity is so familiar to them.
Detecting VMs used by security researchers and sandboxing solutions that are configured to detect Magecart activity is the “most popular method” for evading detection. However, for web-based threats, “detection of virtual machines through the browser is more rare,” Threat actors typically filter targets based on geolocation and user-agent strings.
According to researchers, The process identifies and returns the name of the graphics renderer. The graphics card driver will be a software renderer fallback from the hardware (GPU) renderer for many Virtual Machines. In other cases, the graphics card may be supported by virtualization software, which is identifiable by its name.
We can see that the skimmer is looking for the words swiftshader, llvmpipe, and virtualbox. SwiftShader is used by Google Chrome, while llvmpipe is used by Firefox as a fallback renderer.”
The presence of the words swiftshader, llvmpipe, and virtualbox indicates that the execution is taking place within a virtual machine. When the script is run on a real machine, the software skimmer scrapes a variety of fields, including the customer’s name, address, email and phone number, as well as their credit card information.
The software skimmer also steals passwords for online stores where the victim has an account, as well as the browser’s user-agent and a unique user ID. Data is encoded and transmitted through a network.
Indicators of Compromise (IOCs)
cdn[.]megalixe[.]org
con[.]digital-speed[.]net
apis[.]murdoog[.]org
static[.]opendwin[.]com
css[.]tevidon[.]com
mantisadnetwork[.]org
static[.]mantisadnetwork[.]org
stage[.]sleefnote[.]com
js[.]speed-metrics[.]com
troadster[.]com
nypi[.]dc-storm[.]org
web[.]webflows[.]net
js[.]librarysetr[.]com
librarysetr[.]com
opendwin[.]com
app[.]rolfinder[.]com
libsconnect[.]net
artesfut[.]com
js[.]artesfut[.]com
js[.]rawgit[.]net
js[.]demo-metrics[.]net
demo-metrics[.]net
dev[.]crisconnect[.]net
m[.]brands-watch[.]com
graph[.]cloud-chart[.]net
hal-data[.]org
stage[.]libsconnect[.]net
app[.]iofrontcloud[.]com
iofrontcloud[.]com
alligaturetrack[.]com
webflows[.]net
web[.]webflows[.]net
tag[.]listrakbi[.]biz
api[.]abtasty[.]net
cloud-chart[.]net
graph[.]cloud-chart[.]net
cdn[.]getambassador[.]net
climpstatic[.]com
stst[.]climpstatic[.]com
marklibs[.]com
st[.]adsrvr[.]biz
cdn[.]cookieslaw[.]org
clickcease[.]biz
89.108.127[.]254
89.108.127[.]16
82.202.161[.]77
89.108.116[.]123
82.202.160[.]9
89.108.116[.]48
89.108.123[.]28
89.108.109[.]167
89.108.110[.]208
50.63.202[.]56
212.109.222[.]225
82.202.160[.]8
82.202.160[.]137
192.64.119[.]156
89.108.109[.]169
82.202.160[.]10
82.202.160[.]54
82.146.50[.]89
82.202.160[.]123
82.202.160[.]119
194.67.71[.]75
77.246.157[.]133
82.146.51[.]242
89.108.127[.]57
82.202.160[.]8
185.63.188[.]84
89.108.123[.]168
77.246.157[.]133
185.63.188[.]85
82.146.51[.]202
185.63.188[.]59
89.108.123[.]169
185.63.188[.]71
89.108.127[.]16
82.202.161[.]77
–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin
CyberWorkx 