Posted on Leave a comment

Magecart Group Uses New Technique To Circumvent Virtual Machines And Sandboxes.

Researchers at Malwarebytes have discovered a new Magecart group that uses a browser script to avoid detection and execution in virtualized environments used by security researchers for threat analysis. Magecart-affiliated hacker groups continue to attack e-commerce sites in order to steal payment card data using software skimmers.

The new campaign was discovered by the Malwarebytes team, which adds an extra browser process that uses the WebGL JavaScript API to check a user’s machine to ensure it isn’t running on a VM, researchers showed in a blog post published Wednesday.

Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in a post, “By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer.” Security researchers are constantly looking for new and creative ways to avoid being caught because their activity is so familiar to them.

Detecting VMs used by security researchers and sandboxing solutions that are configured to detect Magecart activity is the “most popular method” for evading detection.  However, for web-based threats, “detection of virtual machines through the browser is more rare,”  Threat actors typically filter targets based on geolocation and user-agent strings.

According to researchers, The process identifies and returns the name of the graphics renderer. The graphics card driver will be a software renderer fallback from the hardware (GPU) renderer for many Virtual Machines. In other cases, the graphics card may be supported by virtualization software, which is identifiable by its name.

We can see that the skimmer is looking for the words swiftshader, llvmpipe, and virtualbox. SwiftShader is used by Google Chrome, while llvmpipe is used by Firefox as a fallback renderer.”

The presence of the words swiftshader, llvmpipe, and virtualbox indicates that the execution is taking place within a virtual machine. When the script is run on a real machine, the software skimmer scrapes a variety of fields, including the customer’s name, address, email and phone number, as well as their credit card information.

The software skimmer also steals passwords for online stores where the victim has an account, as well as the browser’s user-agent and a unique user ID. Data is encoded and transmitted through a network.

Indicators of Compromise (IOCs)

cdn[.]megalixe[.]org

con[.]digital-speed[.]net

apis[.]murdoog[.]org

static[.]opendwin[.]com

css[.]tevidon[.]com

mantisadnetwork[.]org

static[.]mantisadnetwork[.]org

stage[.]sleefnote[.]com

js[.]speed-metrics[.]com

troadster[.]com

nypi[.]dc-storm[.]org

web[.]webflows[.]net

js[.]librarysetr[.]com

librarysetr[.]com

opendwin[.]com

app[.]rolfinder[.]com

libsconnect[.]net

artesfut[.]com

js[.]artesfut[.]com

js[.]rawgit[.]net

js[.]demo-metrics[.]net

demo-metrics[.]net

dev[.]crisconnect[.]net

m[.]brands-watch[.]com

graph[.]cloud-chart[.]net

hal-data[.]org

stage[.]libsconnect[.]net

app[.]iofrontcloud[.]com

iofrontcloud[.]com

alligaturetrack[.]com

webflows[.]net

web[.]webflows[.]net

tag[.]listrakbi[.]biz

api[.]abtasty[.]net

cloud-chart[.]net

graph[.]cloud-chart[.]net

cdn[.]getambassador[.]net

climpstatic[.]com

stst[.]climpstatic[.]com

marklibs[.]com

st[.]adsrvr[.]biz

cdn[.]cookieslaw[.]org

clickcease[.]biz

89.108.127[.]254

89.108.127[.]16

82.202.161[.]77

89.108.116[.]123

82.202.160[.]9

89.108.116[.]48

89.108.123[.]28

89.108.109[.]167

89.108.110[.]208

50.63.202[.]56

212.109.222[.]225

82.202.160[.]8

82.202.160[.]137

192.64.119[.]156

89.108.109[.]169

82.202.160[.]10

82.202.160[.]54

82.146.50[.]89

82.202.160[.]123

82.202.160[.]119

194.67.71[.]75

77.246.157[.]133

82.146.51[.]242

89.108.127[.]57

82.202.160[.]8

185.63.188[.]84

89.108.123[.]168

77.246.157[.]133

185.63.188[.]85

82.146.51[.]202

185.63.188[.]59

89.108.123[.]169

185.63.188[.]71

89.108.127[.]16

82.202.161[.]77

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply