In November last year, security researchers discovered that the the infamous malware, known for harvesting credit card details from checkout forms,could re-infect even after clean-up.
Now, Magecart is active once again in notorious campaigns in which 277 e-commerce websites were infected in supply-chain attacks. What does this mean?
New Magecart Campaigns Detected
RiskIQ researchers have also been closely monitoring the Magecart group. Apparently, Group 12 created its infrastructure in September last year, domains were registered, SSL certificates were set up through LetsEncrypt, and the skimming backend was installed. The hackers also utilize a small snippet with a base64 encoded URL for the resource which is decoded at runtime and injected into the page, RiskIQ’s report highlights.
The group managed to compromise targeted websites through Adverline at the end of 2018.
It should be noted that Magecart Group 12’s skimming code is slightly different, with “an interesting twist” – it protects itself from deobfuscation and analysis by performing an integrity check on itself.
As for the actual injection script, it arrives in two stages, both designed to perform a self-integrity check. Here’s how the two stages take place, as explained by RiskIQ:
– The entire first stage is executed as a function, which is globally defined (this is important)
– The second stage is encoded and padded with junk data, which is written into a new div object
– This second-stage data is then unpadded, decoded, and eventually executed
– If the check validates the next stage is executed.