Security experts from RiskIQ discovered a new variant of the Grelos skimmer that presents overlap with Magecart group operations.
Researchers from RiskIQ analyzed the increased overlap of a new variant of the skimmer dubbed Grelos and the operations of the groups under the Magecart umbrella. The analysis demonstrates the difficulty in associating new strains of skimmer to groups that were behind major Mahecart campaigns. The experts observed an increased overlap of domain infrastructure used by multiple threat actors spreading software skimmers focused on the theft of payment card data from e-stores.
Hacker groups under the Magecart umbrella continue to target e-stores to steal payment card data with software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010.
According to a previous report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.
Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.
The Grelos skimmer has been around since at least 2015 and is associated with operations of Magecart groups 1 and 2. The new variant uses WebSockets for skimming operations, a technique that was first documented in December 2019 when used by the Magecart Group 9.
“We believe this skimmer is not directly related to Group 1-2’s activity from 2015-16, but instead a rehash of some of their code,” reads the post published by RiskIQ. “This version of the skimmer features a loader stage and a skimmer stage, both of which are base64 encoded five times over.”
The analysis of the domains allowed the expert to discover a new Grelos skimmer variant instead of the Fullz House group’s skimmer. The new variant uses a base64 encoded loader stage with a single layer of encoding.
“A sample we collected from one victim site shows a similar base64 encoded loader stage to one documented by Affable Kraut, except this loader stage is only under one layer of encoding. Also, a duplicate of the encoded script tag appears just below it, without encoding” continues the analysis. “The clear version of the base64 encoded script is nearly identical to the previous version. The skimmer, however, is a bit different. Here we see a dictionary named “translate,” which contains various phrases used by a fake HTML payment form created by the skimmer:”
The researchers pointed out that multiple variants of Magecart-related skimmers are reusing code from past operations. For example, the code used by the Fullz House skimmer has been co-opted by other hacking groups that in some cases are leveraging part of the same infrastructure to host other skimmers, such as Grelos. RiskIQ researchers noticed that the new variant of the Grelos skimmer shares IPs with the Inter skimmer.
“For instance, when we examine the hosting when we look at the hosting provider used by Full(z) House to carry out its recent skimming activity, including the compromise of boom! Mobile, we see Alibaba. This same hosting provider is used by the Grelos skimmer, the Inter skimmer, and others. In fact, we even see an overlap in the specific infrastructure used by an Inter skimmer implementation and the most recent version of Grelos, detailed in this post.” concludes the analysis. “This complex overlap illustrates the increasingly muddy waters for researchers tracking Magecart.”