The Research Intelligence group at Akamai discovered a new concealment trick used by threat Actors in A Magecart campaign that abuses 404 pages.
Roman Lvovsky in an article Published on the 9th October, 2023 stated that:
“Threat Actors in this domain consistently find better methods with which to conceal their attacks within victim websites and evade various security measures that could expose them.”
Akamai revealed that a diverse array of websites, including those within the food and retail sectors, have become focal points for the Magecart web skimming campaign. What sets this discovery apart are the three remarkably sophisticated concealment techniques employed, previously unseen in the field. These techniques entail the artful manipulation of a website’s 404 error page, serving as a clandestine refuge for malicious code. This innovation introduces distinctive hurdles in terms of detection and counteraction.
Furthermore, the emergence of two prominent obfuscation techniques signifies the evolving strategies embraced by threat actors to navigate the landscape of detection and maintain their persistence.
In the recent rise of web scheming techniques, organizations are required to take the cybersecurity more seriously, while exploring numerous advanced techniques to protect itself from evolving threats.
Roman Lvovsky stated that:
“According to the evidence we’ve uncovered, this campaign has been active for a couple of weeks, and in some cases, even longer. This campaign managed to Surprise us with a high-level concealment technique that we had not previously encountered.”
HOW THE MAGECART EXPLOITATION WORKS:
The Magecart exploitation enables Threat actors, embark on their nefarious journey by skillfully leveraging existing vulnerabilities present in their chosen web targets. In addition to this, they employ tactics akin to infiltrating the third-party services seamlessly integrated with these websites.
Research findings by cybersecurity experts at Akamai disclosed that:
“All the victim websites we detected were directly exploited, as the malicious code snippet was injected into one of their first-party resources.”
In specific situations, threat actors executed the injection of malicious code directly into the HTML pages, while in other instances, these codes were surreptitiously obfuscated within one of the first-party scripts, seamlessly integrated as a component of the website’s functionality.
THE MAGECART CAMPAIGN ATTACK FRAMEWORK:
Mirroring typical Magecart campaigns, the attack framework of this operation comprises three primary components (See Figure-1 Below). These are:
- The Loader
- Malicious attack code.
- Data exfiltration.
- The Loader:
- The Malicious Attack Code:
- The Data exfiltration:
This is the threat actor method of transmitting stolen information to the C2 (Command-and-Control) server, belonging to them.
Roman further elaborated that:
“Although most Magecart campaigns share similarities in terms of their flow and stages, what sets one campaign apart from another are the various concealment techniques that attackers employ. These techniques are used to obscure the attack’s infrastructure; conceal traces; complicate detection and reverse engineering; and, ultimately, prolong the attack.”
Roman also described that the discovery from the campaign, reveals three variations of the attack. This indicates that the attack has evolved, and threat actors have employed more techniques to invade detection, and disrupt cybersecurity experts mitigative steps.
The first two variations are said to be of similar fashion, with only minor differences which exist in the loader. However, the third version which is unique; enables threat actors to utilize the default 404 error page to hide the malicious code, a technique never seen before.
Variation One Loader:
THE DECODED RUNTIME:
Magecart attackers have lately been using WebSockets, which are a stealthier and more versatile way to communicate. It allows attackers to use one network channel for many tasks, like sending parts of their attack between the server and the browser and even sneaking out stolen data in some situations.
The code also has a smart trick called bot detection. The bot detection, checks if the user’s browser is being controlled by automation, if it is, the code stops running. This is a tactic to dodge security systems that could spot the attack.
COMMUNICATION FLOW IN THE WEBSOCKETS:
This step helps the attacker decide whether the current page is a sensitive checkout page or something else. This way, the attacker can adapt their next moves accordingly.
Also, the code is in charge of carrying out harmful actions on the sensitive targeted page. Its goals are to pilfer the user’s sensitive personal and credit card information and send it back to the skimmer’s control server (C2-Server).
Afterward, more encoded messages carrying the stolen data are sent from the browser to the C2 server. Using the same WebSocket channel for both loading the malicious code and siphoning off the stolen data keeps the process discreet and requires fewer network requests compared to conventional methods like XHR, fetch, or HTML resource requests.”
THE VARIATION TWO LOADER: A Familiar Face in Fresh Attire
Variation Two distinguishes itself from Variation One through its loader component. In this instance, the skimmer includes an inline script that cleverly mirrors the Meta Pixel code, a Facebook visitor tracking service. However, hidden within this guise are additional lines that actually function as the loader (See Figure-5 Below).
This technique of camouflaging malicious code to resemble trusted services, such as Google Tag Manager or Facebook, has become increasingly prevalent in recent Magecart campaigns. It serves as a tactic to evade detection through static analysis by external scanners and researchers.”
An Image Request is Made:
A closer inspection of the suspicious lines in the counterfeit Meta Pixel code, it appeared to be fetching a PNG image from the website’s directory.
The network request resembled a routine request for an innocent website image. But upon inspecting the image’s actual content, it became evident that it harbored hidden dangers (See Figure-6 Below).
The Variation Three: Same Trickster, Different trick
At a quick glance, this loader may resemble the one from Variation Two, but a closer look reveals a different story. In some cases, it pretends to be the Meta Pixel code snippet, just like in Variation Two (See Figure-9 Below). However, in other instances, it sneaks into random inline scripts on the page (See Figure-10 Below).
A key feature of this loader is issuing a fetch request, to a relative path named ‘icons’.
THE 404 ERROR PAGE TRICK:
Following the loader’s execution, the attack initiates a fetch request to the non-existent /icons path, resulting in a “404 Not Found” error (See Figure-11 Below). Upon examining the HTML in the response, it appeared to be the default 404 page of the website (See Figure-12 Below). This is puzzling and raises questions about whether the skimmer had become inactive on the websites we investigated.
Don’t overlook the Loader’s significance:
A Detailed analysis of the loader, uncovered a crucial element. It turns out, the loader scans for the ‘COOKIE_ANNOT’ string within the 404-error page linked to the icons request.
Upon scouring the returned 404 HTML, hidden at the page’s tail; A discovery in a comment housing the ‘COOKIE_ANNOT’ string (See Figure-13 Below).
Akamai Stated that:
“These checks confirm that the attacker successfully altered the default error page for the entire website and concealed the malicious code within it!”
Exfiltrating Victim’s Data:
Unlike variations one and two, variation three brings a fresh approach to exfiltrating victim’s data. In this case, the attacker’s resort to injecting a deceptive form (See Figure-15 Below). This tactic is often deployed when the skimmer can’t directly access sensitive inputs.
This situation arises when a website relies on a third-party payment service, utilizing a payment form embedded in an external iframe or page. To navigate these obstacles, the attacker fabricates a counterfeit form mirroring the genuine payment form and superimposes it – a method that’s gaining traction. This is the precise mechanism for siphoning off stolen data in variation three.
After users input their data into the attacker’s sham form, they encounter an error. The phony form vanishes, the authentic payment form reemerges, and users are instructed to re-enter their payment information (See Figure-16 Below)
Image Request Containing Personal and Credit Card Data:
Once the forged form is submitted, it triggers an image network request to the attacker’s C2 server. Within the query parameter, it conceals all pilfered personal and credit card data, cleverly encoded in Base64 (See Figure-17 Below). Upon decoding this string, the request’s true purpose unfolds, shedding light on the entire attack sequence.
Key Takeaways from Variation Three-The 404 Scenario:
The key takeaways from the variation, is that the concealment method represents a remarkable innovation previously unseen in Magecart campaigns. The manipulation of a targeted website’s default 404 error page introduces novel opportunities for Magecart actors, enhancing their ability to hide and evade detection creatively.
In certain scenarios, it shows that, while the malicious loader had been eradicated from the affected websites, the malevolent comment within the default 404 page endured. This potential reactivation avenue underscores the intricacies of detection and underscores the significance of mitigation efforts.
The tactic of directing requests to the first-party path linked to the 404 page serves as an evasion method capable of circumventing Content Security Policy headers and other active network request scrutiny measures on the page. Undeniably, this stands as one of the more sophisticated strategies adopted by Magecart actors in recent times.”
Indicator Of Compromise (IOCs):
The indicator of compromise listed by Akamai, shows the following websites url are a tell sign, that the targeted users have been a victim of the Magecart attack
Akamai Client Side Protection & Compliance VS Magecart Threat Actors:
This campaign, and discovery underscores the continual evolution and increasing sophistication of web skimming techniques, posing challenges for static analysis and external scanning. Threat actors adeptly conceal their attacks in victim websites and elude detection. Organizations must stay vigilant, actively seeking advanced methods to counter these evolving web skimming attacks.”
Please do let us know in the comment section what are your thoughts about this.