Researchers at Malwarebytes have discovered a new Magecart group that uses a browser script to avoid detection and execution in virtualized environments used by security researchers for threat analysis. Magecart-affiliated hacker groups continue to attack e-commerce sites in order to steal payment card data using software skimmers.
Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in a post, “By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer.” Security researchers are constantly looking for new and creative ways to avoid being caught because their activity is so familiar to them.
Detecting VMs used by security researchers and sandboxing solutions that are configured to detect Magecart activity is the “most popular method” for evading detection. However, for web-based threats, “detection of virtual machines through the browser is more rare,” Threat actors typically filter targets based on geolocation and user-agent strings.
According to researchers, The process identifies and returns the name of the graphics renderer. The graphics card driver will be a software renderer fallback from the hardware (GPU) renderer for many Virtual Machines. In other cases, the graphics card may be supported by virtualization software, which is identifiable by its name.
We can see that the skimmer is looking for the words swiftshader, llvmpipe, and virtualbox. SwiftShader is used by Google Chrome, while llvmpipe is used by Firefox as a fallback renderer.”
The presence of the words swiftshader, llvmpipe, and virtualbox indicates that the execution is taking place within a virtual machine. When the script is run on a real machine, the software skimmer scrapes a variety of fields, including the customer’s name, address, email and phone number, as well as their credit card information.
The software skimmer also steals passwords for online stores where the victim has an account, as well as the browser’s user-agent and a unique user ID. Data is encoded and transmitted through a network.
Indicators of Compromise (IOCs)