Malwarebytes specialists found that MageCart hackers use a kind of steganography, hide web skimmers in EXIF image metadata, and use images to extract stolen data.
Let me remind you that initially the name MageCart was assigned to one hack group, which was the first to use the so-called web skimmers on websites to steal bank card data. Hackers break into websites and then inject malicious code into their pages that records and steals payment card information when users enter it during checkout. This approach was so successful that the group soon had numerous imitators, and the name MageCart became a household name, and now they designate a whole class of such attacks. And if in 2018 RiskIQ researchers identified
12 such groups , then at the end of 2019, according to according to IBM, there were already about 40 of them.
Let me remind you that recently Malwarebytes specialists already told about the MageCart campaign, for which a hack group created a malicious site to host a favicon and mask the malicious code. A new expert report reveals similar malicious activity.
According to experts, the attack of intruders is built as follows : A web skimmer was found in the metadata of an EXIF file that was loaded by hacked online stores with the WooCommerce plugin for WordPress on board. Extraneous code for downloading a dangerous image was added to a legitimate script posted on websites by the store owners themselves.
Malicious activity was traced back to cddn[.]site, from which the malicious favicon file was downloaded. As it turned out, the attackers used favicons identical to the real ones in the compromised stores, and the web skimmer was loaded from the Copyright field in the image metadata using the tag .
As you might guess, this web-skimmer, like other similar malware, stole the contents of input fields where buyers entered their name, billing address, credit card information, and so on . When the information was collected, the skimmer encrypted the collected data, reversed the string, and transmitted the stolen information via a POST request to a remote server to its operators, also in the form of an image file. Obviously, the attackers decided to be consistent and used pictures to hide data at all stages of the attack.
Malwarebytes experts were also able to detect an early version of this skimmer that did not have the obfuscation of the newest iteration. In general, this version had the same functions, but studying the behavior of both malware variants allowed us to conclude that this development may belong to the MageCart group number 9.