Lazarus Group Adds Magecart to the Mix

lazarus group adds magecart

North Korea-based APT is targeting online payments made by American and European shoppers.

The Lazarus Group, state-sponsored hackers affiliated with North Korea, has added digital payment-card skimming to their repertoire, researchers said, using Magecart code.

Lazarus members are targeting online payments made by American and European shoppers. Among the victims is Claire’s, the fashion accessory chain that was attacked in June, according to an analysis from Sansec issued on Monday.

Researchers said that the infrastructure used in the attacks is the same that has been seen in previous Lazarus operations; and that “distinctive patterns in the malware code were identified that linked multiple hacks to the same actor.”

The analysis found that Lazarus was likely planting Magecart payment skimmers on major online retailer sites as early as May 2019. Magecart is an umbrella term encompassing several different threat groups who typically use the same card-skimming scripts on checkout pages. Magento-based attacks are seen most often, but Magecart also attacks other e-commerce platforms, including Opencart, BigCommerce, Prestashop and Salesforce.

“In order to intercept transactions, an attacker needs to modify the computer code that runs an online store,” according to the writeup. “[Lazarus Group, a.k.a. Hidden Cobra] managed to gain access to the store code of large retailers such as international fashion chain Claire’s.”

The researchers speculated that Lazarus is using spearphishing emails as its initial infection vector to compromise the sites – an effort ultimately aimed at obtaining the passwords of retail staff. The hackers then use that access to inject the skimming script, which captures information that shoppers enter into e-commerce check-out pages. The data is then sent to hacker-controlled servers via a global exfiltration network.

“This network utilizes legitimate sites, that got hijacked and repurposed to serve as disguise for the criminal activity,” explained the firm. “The network is also used to funnel the stolen assets so they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, which include a modeling agency from Milan, a vintage music store from Tehran and a family-run book store from New Jersey.”

Researchers uncovered the ongoing campaign last summer, when the firm discovered a skimmer on a U.S. truck-parts store that used the compromised Italian modeling site to harvest payment data. During the following months, they discovered the same uniquely encoded malware on several dozen stores, all using the same hijacked sites as loaders and card collectors.

Researchers identified multiple, independent links between recent skimming activity and previously documented North Korean hacking operations. These include shared infrastructure (including the domain registrar and DNS service, and common loader sites), as well as an odd code snippet, that Sansec has not observed anywhere else.

“The injected script customize-gtag.min.js12 is scrambled with a popular Javascript obfuscator13. Hidden in the code, the string WTJ4cFpXNTBWRzlyWlc0OQ== is found, which is the double-base64 encoded representation of clientToken=,” according to the analysis. “This particular keyword is later used as HTTP GET parameter to send the stolen payload to the collector exfiltration node. The specific encoding and the attempt to disguise the stolen payload as ‘clientToken’ form a uniquely identifying characteristic.”

There are also common behavior patterns such as adding a hidden, dynamic image to the page with the deceptive name (__preloader). The image address is controlled by the attacker, and the intercepted and encoded payload is sent as argument to this image, along with several random numbers.

“Does the usage of common loader sites, and the similarity in time frame, prove that the DPRK-attributed operations are run by the same actor as the skimming operations?”  the researchers said. “Theoretically, it is possible that different nefarious actors had simultaneous control over the same set of hijacked sites, but in practice, this would be extremely unlikely. First, thousands of sites get hacked each day, making an overlap highly coincidental. Secondly, when a site gets hacked, it is common practice for a perpetrator to close the exploited vulnerability after gaining access, in order to shield the new asset from competitors.”

North Korean hacking activity is aimed at both espionage as well as making money for the regime; and Sansec pointed out that the move into digital skimming represents a significant expansion.

“[North Korea-backed attacks were] mostly restricted to banks and South Korean crypto markets, covert cyber operations that earned hackers $2 billion, according to a 2019 United Nations report,” concluded the report. “As Sansec’s new research shows, they have now extended their portfolio with the profitable crime of digital skimming.”

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles