Malwarebytes Specialists discoveredthat MageCart hackers use a kind of steganography, hide web skimmers in EXIF image metadata, and also use pictures to extract stolen data.
Let me remind you that initially the name MageCart was assigned to one hack group, which first began to use the so-called web skimmers on websites to steal bank card data. Hackers hack sites, and then inject malicious code on their pages that writes and steals payment card data when users enter them during checkout.
This approach was so successful that the group soon acquired numerous imitators, and the name MageCart became a household name, and now they are designated a whole class of such attacks. And if in 2018 RiskIQ researchers identified 12 such groups, then at the end of 2019, according to IBM data, there were already about 40 of them.
Let me remind you that recently, Malwarebytes experts already told the MageCart campaign, for the implementation of which the hack group created a malicious site to host favicon and mask malicious code. A new expert report talks about similar malicious activity.
In an open directory of an unnamed compromised site, researchers were able to find a copy of the source code for the skimming kit, which allowed us to gather a lot of new information and notice that the usual favicon.ico file contains an embedded script inside the Copyright field.
According to experts, the attack of attackers is constructed as follows: the web skimmer was found in the metadata of the EXIF file, which was downloaded by hacked online stores with the WooCommerce plugin for WordPress on board. Extraneous code for downloading a dangerous image was added to a legitimate script posted on sites by the store owners themselves.
Malicious activity was traced to the cddn (.) Site, from which the favicon malicious file was downloaded. As it turned out, the attackers used favicon, identical to those in compromised stores, and the web skimmer was loaded from the Copyright field in the image metadata using the tag .
It’s not hard to guess, this web-skimmer, like other similar malware, stole the contents of input fields, where customers entered their name, billing address, credit card information and so on. When the information was collected, the skimmer encrypted the collected data, turned the line over and transmitted the stolen information to the remote server via a POST request to its operators in the form of an image file. Obviously, the attackers decided to be consistent and used pictures to hide data at all stages of the attack.
Malwarebytes experts were also able to discover an early version of this skimmer, in which there was no obfuscation inherent in the latest iteration. In general, this version had the same functions, but studying the behavior of both variations of the malvari allowed us to conclude that this development may belong to the MageCart group number 9.