The Magecart threat player uses a browser script to evade detection by researchers & sandboxes, so it targets only victims’ machines to steal credentials & personal info.
A new Magecart threat player is stealing people’s payment card info from their browsers using a digital skimmer that uses a unique form of evasion to bypass virtual machines (VM), so it targets only actual victims & not security researchers.
The Malwarebytes team discovered the new campaign, which adds an extra browser process that uses the WebGL JavaScript API to check a user’s machine to ensure it’s not running on a VM, researchers revealed in a blog post published Wed.
Exclude Researchers
“By performing this in-browser check, the threat actor can exclude researchers & sandboxes & only allow real victims to be targeted by the skimmer,” Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in the post.
Magecart is an umbrella term for different threat groups who all compromise e-commerce websites with card-skimming scripts on checkout pages to steal customer payment & personal data.
Because their activity is so familiar to security researchers, they are constantly looking for new & creative ways to avoid being caught.
Sandboxing Solutions
Detecting VMs used by security researchers & sandboxing solutions that are set to pick up Magecart activity is “the most popular method” used to evade detection, Segura stated.
However, for web-based threats, “it is rarer to see detection of virtual machines via the browser,” he explained. Usually threat players filter targets based on geolocation & user-agent strings, Segura wrote.
However, seeing cyber-criminals shift tactics is not surprising, he noted, demonstrating that as researchers up their game to detect & report such nefarious activity, so too do cyber-criminals adapt & evolve. “This is a natural trade-off that we must expect,” Segura wrote.
How It Is Done
In this campaign, threat players use WebGL JavaScript API to identify the graphics renderer of the machine the player is targeting to return its name, which gives the skimmer the information it needs to discover whether a VM is present or not.
“For many virtual machines, the graphics card driver will be a software renderer fallback from the hardware (GPU) renderer,” Segura explained. “Alternatively, it could be supported by the virtualisation software but still leak its name.”
Specifically, the skimmer checks for the presence of the words swiftshader, llvmpipe & virtualbox because of the VMs different browsers use, he explained. Google Chrome uses Swift Shader while Firefox relies on llvmpipe as its renderer fallback.
Extracts Personal Data
If the targeted machine passes the check, the skimmer then extracts personal data in a typical way for such campaigns, scraping a number of fields including the customer’s name, address, email & phone number as well as their credit-card data.
The skimmer also collects any password used for online stores on which the person has registered an account, the browser’s user-agent & a unique user ID.
Single Post Request
It then encodes the data & sends it to the same site hosting the skimmer using a single post request, Segura wrote.
Malwarebytes has included the skimmer code as well as a comprehensive list of indicators of compromise in its post to help people avoid being targeted & compromised by the campaign.
https://www.cybernewsgroup.co.uk/virtual-conference-november-2021/