Researchers identified a crypto-themed Magecart skimmer built on the Mr.SNIFFA toolkit that targets e-commerce sites, employing obfuscation and whitespace encoding to load its payload and exfiltrate payment data. The operation runs on Russian-hosted infrastructure via DDoS-Guard and connects to cryptocurrency-themed domains, underscoring a broader criminal ecosystem that includes crypto giveaways, mixers, and phishing services.
#MrSNIFFA #Magecart #DDoSGuard #MichaelJSaylor #RobinBanks #BrianKrebs
Keypoints
- The skimmer uses the mr.SNIFFA toolkit to target e-commerce sites and harvest card data, with multiple obfuscation techniques and steganography to load its code and exfiltrate data.
- Loader code is loaded from external domains (e.g., elon2xmusk[.]com) and relies on a CSS file hosted at 2xdepp[.]com/stylesheet.css to assemble the skimmer.
- The payload is hidden via whitespace encoding—over 88k lines of spaces, tabs, and newlines—that decode into the skimmer code via the loader (elon2xmusk[.]com/jquery.min.js).
- At checkout, the skimmer injects a malicious payment form to capture credit card details and exfiltrates them using encoded image data.
- The infrastructure is hosted on DDoS-Guard and tied to a crypto-themed ecosystem, including domains such as saylor2xbtc[.]com, Elon2xmusk[.]com, and 2xdepp[.]com.
- The operation intertwines with other criminal services (crypto giveaways, marketplaces, and Robin Banks phishing), illustrating a broad ecosystem that supports monetization and trust erosion.
MITRE Techniques
- [T1105] Ingress Tool Transfer – The skimmer loads its payload from external domains (e.g., the JavaScript loaded from elon2xmusk[.]com/jquery.min[.]js) to install the skimmer. Quote: “the JavaScript loaded from elon2xmusk[.]com/jquery.min.js”.
- [T1027] Obfuscated/Compressed Files and Information – The payload is hidden via whitespace encoding inside a CSS/JS chain, with 88k lines of whitespace converted into binary data by the loader. Quote: “over 88k lines containing spaces, tabs and new line feeds. That encoded whitespace data is converted into binary code via the original loader (elon2xmusk[.]com/jquery.min.js).”
- [T1036] Masquerading – The skimmer hides inside a CSS file and loads a CSS resource to orchestrate itself. Quote: “load a special CSS file hosted at (2xdepp[.]com/stylesheet.css).”
- [T1056.003] Input Capture – At checkout, the payment form injected by the skimmer harvests card data. Quote: “the checkout page, we see the payment form injected by the skimmer.”
- [T1041] Exfiltration – Stolen card data is exfiltrated back to attackers using encoded data and sent as an image file. Quote: “Stolen credit card data will be exfiltrated back to the attackers using the same special character encoding and sent as an image file.”
Indicators of Compromise
- [URL] context – saylor2xbtc[.]com/vqK4Pq, and elon2xmusk[.]com/jquery[.]min[.]js
- [URL] context – 2xdepp[.]com/stylesheet[.]css
- [IP] context – 185.178.208.174
- [IP] context – 185.178.208.181
- [Domain] context – 3houzz[.]com