In my last post, I highlighted a digital skimming loader that tried to pretend that it was Google Analytics. In this post, I’ll show a similar one, this time purporting to be Google Tag Manager. This is by the same group as the one shown in the previous post, and you can clearly see the similarities. The full prettified code:

At the top, we see some code that appears to be from Google Tag Manager, but that is never actually used. The pickFooter function is used to decode these values, but XORing them against the string pxwe8al23pjj which acts as a key.

var revSolution = pickFooter('130a12044c04295e561d0f0404', 'pxwe8al23pjj'),
  sortResult = pickFooter('031b050c4815', 'pxwe8al23pjj'),
  attrTooltip = pickFooter('031d03244c151e5b51051e0f', 'pxwe8al23pjj'),
  selectDuration = window[pickFooter('1c1714044c08035c', 'pxwe8al23pjj')][pickFooter('0019030d56000157', 'pxwe8al23pjj')],
  receiveEndpoint = pickFooter('19161300402e0a', 'pxwe8al23pjj');
var resAgreement = pickFooter('030a14', 'pxwe8al23pjj'),
  toggleScale = document[pickFooter('181d1601', 'pxwe8al23pjj')],
  licenseMaximum = pickFooter('1108070056052f5a5a1c0e', 'pxwe8al23pjj');

After XORing, the variables are set to things that are much more recognizable:

Lines 39-46 loop through the values in innerMeta to see if the current URL path contains one of them. The values it’s looking for are onestepcheckout, checkout, onepage, onestep, firecheckout, securecheckout, idecheckoutvm, oscheckout, pagamento, odeme, and fechar-compra. These all relate to different payment systems that the full digital skimmer supports. Line 40 checks to see if one of those is present and if they are it creates a new script tag to add to the page. I had to remove the actual threat actor endpoint for this one unfortunately.

A modified version of this was originally posted on Twitter: https://twitter.com/AffableKraut/status/1137973248388415488