New MageCart campaign uses browser script to avoid virtual machines

New MageCart campaign uses browser script to avoid virtual machines

Image:
New MageCart campaign uses browser script to avoid virtual machines

The tactic enables cyber actors to target only real victims, not security researchers

Researchers at cyber security firm Malwarebytes have uncovered a new Magecart threat actor that uses a unique form of evasion to ensure it bypasses virtual machines (VM) set up by security researchers and sandboxing solutions to pick up Magecart activity.

The tactic, which involves using a browser script, enables cybercriminals to target only real victims, not security researchers, in their efforts to steal payment card details from victim's machine.

Magecart is an umbrella term used for different threat groups that target organisations' payments systems by taking advantage of security flaws in ecommerce systems.

The gangs - most of them thought to be located in Russia and the CIS - inject subtle JavaScript code onto the pages of ecommerce sites to exfiltrate credit card and personal details of customers as they check out.

Magecart breaches can be difficult to detect as many companies remain unaware that their servers have been compromised by attackers. That allows the hackers to persist for weeks or even months and years without being noticed.

Malwarebytes researchers said their investigation started by looking at a newly reported domain that could possibly be related to Magecart.

After analysing the domain, they found a suspicious JavaScript being loaded alongside an image of payment methods.

The skimmer script used WebGL JavaScript API to identify the graphics renderer of the user's machine being targeted to return its name. This in-browser process gave the skimmer the information required to ensure that the user's machine was not running on a VM.

"For many virtual machines, the graphics card driver will be a software renderer fallback from the hardware (GPU) renderer," Malwarebytes Head of Threat Intelligence Jérôme Segura wrote in a blog post.

"Alternatively, it could be supported by the virtualization software but still leak its name."

According to Segura, this skimmer checks for the presence of the words virtualbox, swiftshader, and llvmpipe, because different browsers use different VMs.

Google Chrome uses SwiftShader while Firefox relies on llvmpipe as its renderer fallback.

After the attackers ensure that the device is not running on a VM, the data exfiltration process can take place normally. The malware scrapes a number of fields including the customer name, email, phone number, address, as well as their payment card details.

While it is usual practice for cybercriminals to try to detect VMs set up by security researchers and sandboxing solutions to detect Magecart activity, it is rare for attackers to detect VMs via the browser for web-based threats, Segura said.

The number of web-skimming attacks is constantly on the rise, according to cyber security experts.

In June last year, researches at Malwarebytes warned of a new Megecart campaign that used malicious scripts hidden in the EXIF data of a favicon image to steal payment card details of customers.

They also discovered a separate campaign in which hackers used fake icons on various websites to steal payment card details from compromised e-commerce websites.

In 2019, researchers warned that threat actors were attempting to bring old Magecart web domains back to life in renewed malvertising and ad fraud campaigns.

In 2018, a Magecart attack on British Airways compromised credit card details of around 500,000 customers.