430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

New Magecart group uses an e-Skimmer that avoids VMs and sandboxes

A new Magecart group leverages a browser script to evade virtualized environments and sandboxes used by researchers. Malwarebytes researchers have spotted a new Magecart group that uses a browser script to evade detection and the execution in virtualized environments used by security researchers for threat analysis. Hacker groups under the Magecart umbrella continue to target e-stores to […]

Magecart

A new Magecart group leverages a browser script to evade virtualized environments and sandboxes used by researchers.

Malwarebytes researchers have spotted a new Magecart group that uses a browser script to evade detection and the execution in virtualized environments used by security researchers for threat analysis. Hacker groups under the Magecart umbrella continue to target e-stores to steal payment card data with software skimmers. 

While malware developers often implement anti-vm features and check for registry keys and other info indicating the presence of VMware or Virtual Box, rarely do experts observe the detection of virtualized environments via the browser for web threats.

The Malwarebytes researchers uncovered threat actors that add an extra browser process that uses the WebGL JavaScript API to gather information about the user’s machine and avoid the execution in a VM.

The process identifies the graphics renderer and returns its name. Experts pointed out that for many Virtual Machines the graphics card driver will be a software renderer fallback from the hardware (GPU) renderer. In other cases, the graphics card could be supported by the virtualization software that anyway can be identified by its name.

Magecart

“We notice that the skimmer is checking for the presence of the words swiftshaderllvmpipe and virtualbox. Google Chrome uses SwiftShader while Firefox relies on llvmpipe as its renderer fallback.” wrote Jérôme Segura, Malwarebytes Head of Threat Intelligence. “By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer.”

The presence of the words swiftshader, llvmpipe and virtualbox is associated with the execution inside a VM. Upon executing the script in a real machine, the software skimmer will scrape a number of fields, including the customer’s name, address, email, and phone number as well as their credit card data.

The software skimmer also collects passwords for online stores on which the victim has registered an account, the browser’s user-agent, and a unique user ID. Data are encoded and sent through a single POST request to the same server hosting the skimmer.

The analysis published by Malwarebytes includes indicators of compromise (IoCs) along with the source code of the software skimmer used in the attack.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Magecart)

[adrotate banner=”5″]

[adrotate banner=”13″]