Magecart Infrastructure Design

by Eric Brandel Posted on August 11, 2019

Digital skimmers will use a variety of infrastructure setups to help hide the real servers. This varies by the script that is being used, but in general you will see three different hosts involved:

  • Host 1: Skimmer Loader
  • Host 2: Exfil burner domain / gate
  • Host 3: Magecart Panel / c2

Host 1 and 2 are sometimes the same, but the goal here is to hide the third host from prying eyes. The idea here is to hide the important stuff, the Panel behind a shroud that can’t easily be pierced. The code for these gates is rather simple, but let’s take a look at two examples.

This first one is Inter. The host where Inter is actually living is entered on line 3 (the Inter gate route is simply /gate or /gate/proxy) and this file is placed on a burner domain or, commonly, some compromised system.

Let’s say the exfil server was http://burner.example.com. The Javascript skimmer base64 encodes your payment info, builds a URL with it, and does a get request. The get request is frequently disguised as an image, but the basic URL format is http://burner.example.com/gate.php?hash=<base64>

You can see how Inter takes that information, appends the victims IP and User Agent, and uses file_get_contents to pass it along to the Panel/c2, which is hidden from prying eyes because this network call is server to server.

Inter has two routes setup. One is /gate and it only concerns itself with the base64 encoded payment info. The other one is /gate/proxy and it will parse out the IP address and User Agent.

Those routes pass the data to two functions: Incoming and Proxy. Both do similar things, Proxy just parses out the IP and UA arguments as well.

Now let’s look at how JS Sniffer handles things. It comes with a file named prokladka.php. Prokladka or прокладка in Russian means gasket (and other things). Similar functionality to the gate.php file in Inter, except for it drops a cookie.

On line 5 you specify the URL of the gate.php file, which should be on Host 3 as defined above. The unique thing it then does it checks for a cookie and drops one if its not found. It then passes that cookie along as part of the final payload. The JS Sniffer gate.php file does a couple things. It grabs the data that was passed along and then, depending on what $sniffer_type was set, it parses things differently.

Interestingly, Sochi (the author of Inter) is a better coder than Poter (the author of JS Sniffer). Inter is a decent MVC app. JS Sniffer is kind of just base level PHP. Examples of JS Sniffer handling different $sniffer_types:

And there you go. A look into $6k+ of illicit magecart packages. It’s really rather basic stuff, but it’s the domain knowledge that was used to craft it that makes it somewhat valuable.

A modified version of this was originally posted on Twitter:
https://twitter.com/AffableKraut/status/1160432974778851328

This entry was posted in Infosec, Magecart and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *