Threat Research

Cyble – Highly Evasive Magecart JavaScript Skimmer Active In The Wild

Securonix

Magecart threat actors target Magento-based online stores by injecting JavaScript skimmers into checkout pages to steal payment data. The skimmer loads an overlay form from an embedded JS file, collects card details and personal information, obfuscates and exfiltrates it to a remote server, and the campaign continues to evolve to evade detection.—#Magecart #Magento

Keypoints

  • Magecart groups compromise Magento e-commerce sites to inject card-skimming scripts on checkout pages.
  • The skimmer loads a payment overlay from an embedded JavaScript file “media/js/js-color.min.js” and prompts users to enter payment information.
  • The sample SHA256 hash fdb135b16975bbee18d3d4d378484934f1cb1b68723969ce9ecf5ae76df253d0 indicates an obfuscated JavaScript payload.
  • The malware performs anti-detect checks (anti-devtools) before proceeding, indicating evasion of security monitoring.
  • Victims’ data (name, address, phone, email, card number, expiry, CVV, etc.) is collected, validated, and prepared for exfiltration.
  • Data is JSON-stringified, Base64-encoded, and sent via POST to a remote exfiltration URL (united81[.]com/…png).
  • IOCs include the obfuscated JS file hashes and the exfiltration domain, plus source/reference to lukeleal.com used in a figure.

MITRE Techniques

  • [T1059] Command and Scripting Interpreter – The skimmer loads a payment overlay from an embedded JavaScript file and prompts the user to enter their payment information. “the skimmer loads the payment overlay form from an embedded JavaScript file “media/js/js-color.min.js” and asks the user to enter their payment information.”
  • [T1027] Obfuscated Files or Information – The analysis notes a sample SHA256 hash for an obfuscated JavaScript file: “The sample hash (SHA256): fdb135b16975bbee18d3d4d378484934f1cb1b68723969ce9ecf5ae76df253d0, which is an obfuscated JavaScript file.”
  • [T1518] Security Software Discovery – The malware checks for anti-detect features to avoid loading when defenses are active: “Upon executing the JavaScript, it checks for the presence of standard skimmer anti-detect features that prevent it from loading if the browser’s dev tool is open.”
  • [T1417] Input Capture – It collects user-provided payment and personal details: “After checking for anti-detect, the malware allows the user to enter the payment’s credit/debit card details along with other details such as first name, last name, address, telephone, email ID, etc.”
  • [T1071] Application Layer Protocol – Exfiltration uses HTTP POST to a remote URL to transfer data: “exfiltrates the Base64-encoded payment details to the below URL using the POST method.”
  • [T1041] Exfiltration Over C2 Channel – The collected data is sent out to a remote domain for misuse: “exfiltrates the Base64-encoded payment details to the below URL using the POST method.”

Indicators of Compromise

  • [Hash] js-color.min.js file – f5dceb6097a46b01202fececfd494de6, 8b064625fd8566fe9ed10ebb77f4642025388a18, and fdb135b16975bbee18d3d4d378484934f1cb1b68723969ce9ecf5ae76df253d0
  • [URL] Data exfiltration domain – united81[.]com/css/images/28555284977696[.]png
  • [Domain] Source site referenced in figures – lukeleal.com

Read more: https://blog.cyble.com/2022/09/01/highly-evasive-magecart-javascript-skimmer-active-in-the-wild/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint