Magento Skimmers - ZsN Paper

Obfuscation Method Leverages Google Analytics

Eventually the obfuscation used by this campaign has evolved into a more elaborate one which pretends to be Google Analytics code.

Indeed it is very similar to Google’s real code, which looks like this:

There is almost no difference between the skimmer and legitimate analytics sample—except for some extra base64-encoded values along with short instructions to decode (atob), which use these values instead of Google’s original ones.

Variations of the Malware

In the case above, the encoded values are bGlnaHRnZXRqcy5jb20vbGlnaHQuanM= (lightgetjs[.]com/light.js) and Y2hlY2tvdXQ= (checkout). For pages with the keyword “checkout” in their URLs, the code loads a credit card skimmer from lightgetjs[.]com/light.js.

As seen in the previous series of attacks, this was not the only domain used in the new wave of this campaign. We’ve found many different variations of this script with the following combinations of the encoded values (not a complete list):

aHR0cHM6Ly9hamF4c3RhdGljLmNvbS9hcGkuanM/dj0yLjMuNg==, b25lcGFnZQ==
hxxps://ajaxstatic[.]com/api.js?v=2.3.6, onepage

anNnbG9iYWwudG9wL2FwaS5qcw==, b25lcGFnZQ==
jsglobal[.]top/api.js, onepage

c2VjdGlvbi53cy9pby5qcw==, Y2hlY2tvdXQ=
section[.]ws/io.js, checkout

cmFja2FwaWpzLmNvbS9hcGkuanM=, Y2hlY2tvdXQ=
rackapijs[.]com/api.js, checkout

Infrastructure

All of these URLs point to the same server that also hosts a few more domains used in this campaign:

• mediapack[.]info Creation Date: 2017-05-04
• lightgetjs[.]com Creation Date: 2019-04-23
• section[.]ws Creation Date: 2019-05-20
• sectionio[.]com Creation Date: 2019-05-20
• rackapijs[.]com Creation Date: 2019-03-23
• authorizeplus[.]com Creation Date: 2019-02-17
• priceapigate[.]com Creation Date: 2019-04-23
• ajaxstatic[.]com Creation Date: 2019-01-11
• topapigate[.]com Creation Date: 2019-05-13
• jsglobal[.]top

These domains have been migrating from one server to another. This past July, we saw them resolve to IPs that belong to the Chinese Alibaba.com corporation.

• 8.208.15.67  – China Hangzhou Alibaba.com Singapore E-commerce Private Limited
• 47.254.202.112 – China Hangzhou Alibaba.com Llc

The script uses the following encoded values: bWFnZWVudG8uY29tL3YzL2FwaS9sb2dzLmpz (mageento[.]com/v3/api/logs.js), b25lc3RlcGNoZWNrb3V0Cg== (onestepcheckout)

The mageento[.]com domain was created on February 22, 2019 and is currently hosted on a server with the IP 45.114.8.166 (Hong Kong), along with a few other well-known skimmer domains such as g-statistic[.]com, googleadservicesonline[.]com, onlineclouds[.]info, onlineclouds[.]cloud.

keyword : Black Hat Tactics, Google, Hacked Websites, Obfuscation, Magento. Exploit

http://zsn-paper.blogspot.com