Threat Research

Credit card skimmer evades Virtual Machines

Securonix

Threat actors behind a Magecart skimmer use in-browser virtual-machine detection via WebGL to distinguish real victims from researchers or sandboxes. If the machine passes the check, the skimmer exfiltrates sensitive data by a single POST while employing obfuscation and anti-debugging to evade analysis. #Magecart #VirtualBox #SwiftShader #llvmpipe #WebGL

Keypoints

  • The skimmer leverages the WebGL API to identify the user’s graphics renderer, revealing whether it is typical of a VM or physical machine.
  • It searches for indicators like swiftshader, llvmpipe, and virtualbox to detect virtualization environments and exclude researchers and sandboxes.
  • The in-browser VM check is used to ensure only real victims are targeted by the skimmer.
  • Once past the checks, the skimmer collects personal data (name, address, email, phone), credit card details, password, browser user-agent, and a unique user ID.
  • Data is encoded and exfiltrated to the attacker’s host via a single POST request.

    • <liThe campaign employs code obfuscation, anti-debugger tricks, and anti-VM measures as evasion techniques; Malwarebytes lists IOCs associated with the activity.

MITRE Techniques

  • [T1497] Virtualization/Sandbox Evasion – The skimmer checks for virtualization software to filter out researchers and sandboxes. “By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer.”
  • [T1082] System Information Discovery – It uses the WebGL API to gather system information and identify the graphics renderer. “There is one interesting function within this skimmer script that uses the WebGL JavaScript API to gather information about the user’s machine. We can see that it identifies the graphics renderer and returns its name.”
  • [T1027] Obfuscated/Compressed Files and Information – The page notes code obfuscation, anti-debugger tricks, and anti-VM checks. “In addition to code obfuscation, anti-debugger tricks and now anti-vm checks.”
  • [T1041] Exfiltration Over C2 Channel – Data is encoded and sent to the host via a single POST. “The data is then encoded and exfiltrated to the same host via a single POST request.”

Indicators of Compromise

  • [Domain] – cdn.megalixe.org, apis.murdoog.org, and other domains – data/communication endpoints used by the skimmer
  • [IP Address] – 89.108.127.254, 89.108.127.16, and other IPs – involved in hosting/exfiltration infrastructure

Read more: https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint