Magecart is a hacker group that targets online shopping cart systems to steal customer payment card information.
To analyze more deeply, I scanned the site with Urlscan.io service;
In the page, there was a link to fileskeeper[.]org domain (registry date: 2019-09-07) for a
.js script. And apart from this redirection, above snippets seemed like some countermeasures for evading security products (like
lmcSrc function trick, Firebug detection logic for anti-dynamic analysis etc... as can be seen on URLScan link)
Before starting to any malware analysis effort, I did a quick search on Twitter for the fileskeeper[.]org domain and found that there were mentions for these domains related to MageCart.
When I analyzed PCAP of the infection traffic, C2 server returns a "Success" message if payment card information is posted succesfully. (I used any.run's HTTPS MITM proxy feature for analyzing TLS communication)
Based on these evidences in Twitter and suspected
momentus.js file, now I was sure that this threat is related with MageCart.
After this point, I wondered whether this malicious snippets were included in any other sites, too. So I did a quick search on publicwww.com, which is a Google-like web-site for HTML/JS/CSS codes of websites. For my searches, i decided to go with "most unique and common" code part of the infection chain so I chose
lmcScr("screen-obj" part of the code.
After this search, publicwww.com found 74 similar websites that have same JS code in their HTML. Some of them were also including fileskeeper[.]org. Of course there may be false-positives but you can enrich this possible infections with other data (like visiting the original code or try regex search for more robust detection etc.)
PS: Thanks to Zeynep S. and Furkan T. for their efforts.