Hunting MageCart infections using OSINT sources

Magecart is a hacker group that targets online shopping cart systems to steal customer payment card information.

During one of the web browsing sessions, my AV product created an alert for a possible malicious JavaScript activity. For an initial triage, I wanted to decide what kind of malware activity created this alert, how it is triggered and which C2 addresses (if exists) it is using, to address that if there was any successful compromise in environment. During my whole analysis, infection was still active in the web page.

To analyze more deeply, I scanned the site with Urlscan.io service;

https://urlscan.io/result/48b9bef0-3459-42eb-a957-55df84fe22fa/dom/

In the page, there was a link to fileskeeper[.]org domain (registry date: 2019-09-07) for a .js script. And apart from this redirection, above snippets seemed like some countermeasures for evading security products (like lmcSrc function trick, Firebug detection logic for anti-dynamic analysis etc... as can be seen on URLScan link)

Before starting to any malware analysis effort, I did a quick search on Twitter for the fileskeeper[.]org domain and found that there were mentions for these domains related to MageCart.

On my Remnux VM analyze machine, I did a basic pre-processing for this JavaScript using js-beautify tool in the http://fileskeeper[.]org/p/assets/momentus.js URL (https://urlscan.io/result/97936a18-e004-4cf1-a222-0071f5a03645/dom/) and saw payment card stealing code there. As you can see in the below part of the screenshot, there were Cvv, ExpData, CcNumber mentions.

When I analyzed PCAP of the infection traffic, C2 server returns a "Success" message if payment card information is posted succesfully. (I used any.run's HTTPS MITM proxy feature for analyzing TLS communication)

Based on these evidences in Twitter and suspected momentus.js file, now I was sure that this threat is related with MageCart.

After this point, I wondered whether this malicious snippets were included in any other sites, too. So I did a quick search on publicwww.com, which is a Google-like web-site for HTML/JS/CSS codes of websites. For my searches, i decided to go with "most unique and common" code part of the infection chain so I chose lmcScr("screen-obj" part of the code.

After this search, publicwww.com found 74 similar websites that have same JS code in their HTML. Some of them were also including fileskeeper[.]org. Of course there may be false-positives but you can enrich this possible infections with other data (like visiting the original code or try regex search for more robust detection etc.)

PS: Thanks to Zeynep S. and Furkan T. for their efforts.

Furkan ÇALIŞKAN

Read more posts by this author.