New Kritec Magecart skimmer found on Magento stores


Compromised online stores have been injected with skimmers hiding around the Google Tag Manager script. We identified a new one that looked similar at first but is part of a different campaign.

Threat actors often compete for the same resources, and this couldn’t be further from the truth when it comes to website compromises. After all, if a vulnerability exists one can expect that it will be exploited more than once.

In the past, we have seen such occurrences with Magecart threat actors for example in the breach of the Umbro website. Recently, while reading a blog post from security vendor Akamai, we spotted a similar situation. In the listed indicators of compromise, we noticed domains that we had seen used in a distinct skimming campaign which didn’t seem to be documented yet.

In fact, we saw instances of compromised stores having both skimmers loaded, which means double trouble for victims as their credit card information is stolen not just once but twice. In this blog post, we show how the newly found Kritec skimmer was found along side one of its competitors.

Original campaign using WebSockets

Researchers at Akamai reported on a Magecart skimmer campaign disguised as Google Tag Manager that also made the news with the compromise of one of Canada’s largest liquor store (LCBO). While details were not shared at the time, we were able to determine thanks to an archived crawl on urlscan.io that the skimmer was using WebSockets and is the same one as described in Akamai’s blog. 

Kritec campaign

Akamai notes that they identified multiple compromised websites that had similarities. They also list nebiltech[.]shop in their IOCs which is a domain we sometimes saw injected near the Google Tag Manager script, but not within it.

New Kritec Magecart skimmer found on Magento stores

We believe this is a different campaign and threat actor altogether. Here are some reasons why:

  • No WebSocket being used
  • Domains abusing Cloudflare
  • Intermediary loader
  • Completely different skimming code

To complicate things, we observed some stores that had both skimmers at the same time, which is another reason why we believe they are not related:

New Kritec Magecart skimmer found on Magento stores

We started calling this new skimmer ‘Kritec’ after one of its domain names. It has an interesting way of loading the malicious JavaScript we had not seen before either. The injected code calls out a first domain (seen above encoded in Base64) and generates a Base64 response:

New Kritec Magecart skimmer found on Magento stores

Decoding it reveals a URL pointing to the actual skimming code, which is heavily obfuscated (likely via obfuscator.io):

New Kritec Magecart skimmer found on Magento stores

The data exfiltration is also done differently as seen in the image below. On the left, the stolen credit card data is sent via a WebSocket skimmer while on the right, it is a POST request:

New Kritec Magecart skimmer found on Magento stores

Google Tag Manager variants

In the past months there have been several Magecart skimmers abusing Google Tag Manager in one way or another. We mentioned Akamai’s blog but it was also documented by Recorded Future. In those instances, the malicious was actually embedded in the Google Tag Manager library itself, which is very clever and difficult to detect.

While the Kritec skimmer hangs around the Google Tag Manager script, we believe it is not related to the other active campaigns. We have been documenting it recently and are reporting the abuse to Cloudflare which it uses to hide its real infrastructure.

Malwarebytes customers are shielded against this campaign via our web protection in Endpoint Protection (EP), Endpoint Detection and Response (EDR) and Malwarebytes Premium.

Indicators of Compromise

WebSocket Skimmer:

cloud-cdn[.]org

Kritec skimmer:

kritec[.]pics

vitalmob[.]pics

flowit[.]pics

flagmob[.]quest

entrydelt[.]sbs

sanpatech[.]shop

prijetech[.]shop

nebiltech[.]shop

kruktech[.]shop

lavutele[.]yachts

tochdigital[.]pics

smestech[.]shop

klstech[.]shop

shotsmob[.]sbs

gemdigit[.]pics

nevomob[.]quest

vuroselec[.]quest

apexit[.]yachts

sorotele[.]yachts

bereelec[.]quest

bereelec[.]quest/ww[.]min[.]js

apexit[.]yachts/apex[.]min[.]js

vuroselec[.]quest/dych[.]min[.]js

nevomob[.]quest/elan-loader[.]js

gemdigit[.]pics/wpp-loader[.]js

gemdigit[.]pics/sun-loader[.]js

klstech[.]shop/opencart-cache-worker[.]min[.]js

tochdigital[.]pics/digital[.]min[.]js

vitalmob[.]pics/pre-loader[.]js



Source link