I’ve been examining an interesting digital skimmer/magecart script the past couple of days and figured I’d share some details. Perhaps the most puzzling aspect is the three Korean IPs hardcoded into it, although there are a number of other interesting details as well.
First, some code and URLs of note:
- Source:
fraudlabpros[.]at/jquery.min.js?hash=5ab890253318a446ac9c4cd - Exfil:
fraudlabpros[.]at/favicon.ico?size=<b64exfil> - Obfuscated code: https://gist.github.com/krautface/20e4b8f42ba0d7a2c3cf6dc6b4049d73
- Prettified code: https://gist.github.com/krautface/09cd72b37846b8fa9be0bca2d413a072
- Partial Deobfuscation of the code: https://gist.github.com/krautface/51ea54230088d5e6f15329f48e87067b
- More Deobfuscation: https://gist.github.com/krautface/4003f4b29eafac716cac0d2f4e0e6f29
There’s still more deobfuscation to do, but that gets us to a point where we can see some interesting things. For starters, this skimmer grabs the victim IP address using an endpoint at my-ip[.]io.
This isn’t a new technique of course. An example of a similar method from 2020: https://twitter.com/AffableKraut/status/1323752538592694278
What is kind of new is using that victim’s IP to stop the skimmer from executing. This for loop takes the victim IP and compares it to the three hardcoded IPs. If there is a match, the code execution is ended. But there’s something weird going on here.
These IPs just seem to be random Korean IPs. And while one might want to start shouting “Lazarus!” or something fun like that, there’s probably a better explanation.
121[.]161[.]58[.]40
210[.]178[.]93[.]165
106[.]248[.]193[.]113
First, the victim site is located in South Korea. I think this may be an attempt by the attacker to have the malicious code not execute when the people running the store are on the site. They very well could have captured the IPs of people logging into the admin portal.
Second, the code only compares the first 5 characters of the IP address. That means it’s looking for any IP that starts with: 121.1, 210.1, or 106.2. That is… a lot of IPs. 18,939,904 to be exact, or roughly 0.5% of all public IPs. Oopsie!
The skimmer also loads an iframe from what appears to be another compromised store.
Final thing I’ll mention is that this domain (fraudlabpros[.]at) is definitely using some Fastflux infrastructure. Here’s 30 IPs it’s been on in the last month or two:
A modified version of this was originally posted on Twitter:
https://twitter.com/AffableKraut/status/1487939192726466563