This blog post was authored by Jérôme Segura
There are many techniques threat actors use to slow down analysis or, even better, evade detection. Perhaps the most popular method is to detect virtual machines commonly used by security researchers and sandboxing solutions.
Reverse engineers are accustomed to encountering code snippets that check certain registry keys, looking for specific values indicating the presence of VMware or Virtual Box, two of the most popular pieces of virtualization software. Many malware families incorporate these anti-vm features, usually as a first layer.
For web threats, it is more rare to see detection of virtual machines via the browser. Typically threat actors are content with filtering targets based on geolocation and user-agent strings. But that feature does exist in modern browsers and can be quite effective.
In this blog post we show how a Magecart threat actor distributing a digital skimmer is avoiding researchers and possibly sandboxes by ensuring users are running genuine computers and not virtual ones.
Virtual Machine detection
Our investigation started by looking at a newly reported domain that could possibly be related to Magecart. Suspicious JavaScript is being loaded alongside an image of payment methods. Note that browsing directly to the URL will return a decoy Angular library.
There is one interesting function within this skimmer script that uses the WebGL JavaScript API to gather information about the user’s machine. We can see that it identifies the graphics renderer and returns its name.
For many Virtual Machines, the graphics card driver will be a software renderer fallback from the hardware (GPU) renderer. Alternatively, it could be supported by the virtualization software but still leak its name.
We notice that the skimmer is checking for the presence of the words swiftshader, llvmpipe and virtualbox. Google Chrome uses SwiftShader while Firefox relies on llvmpipe as its renderer fallback.
By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer.
Data exfiltration
If the machine passes the check, the personal data exfiltration process can take place normally. The skimmer scrapes a number of fields including the customer’s name, address, email and phone number as well as their credit card data.
It also collects any password (many online stores allow customers to register an account), the browser’s user-agent and a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request:
Evasion and defenders
This is not surprising to see such evasion techniques being adopted by criminals, however it shows that as we get better at detecting and reporting attacks, threat actors also evolve their code eventually. This is a natural trade-off that we must expect.
In addition to code obfuscation, anti-debugger tricks and now anti-vm checks, defenders will have to spend more time to identify and protect against those attacks or at least come up with effective countermeasures.
Malwarebytes users are protected against this campaign:
Indicators of Compromise (IOCs)
cdn[.]megalixe[.]org con[.]digital-speed[.]net apis[.]murdoog[.]org static[.]opendwin[.]com css[.]tevidon[.]com mantisadnetwork[.]org static[.]mantisadnetwork[.]org stage[.]sleefnote[.]com js[.]speed-metrics[.]com troadster[.]com nypi[.]dc-storm[.]org web[.]webflows[.]net js[.]librarysetr[.]com librarysetr[.]com opendwin[.]com app[.]rolfinder[.]com libsconnect[.]net artesfut[.]com js[.]artesfut[.]com js[.]rawgit[.]net js[.]demo-metrics[.]net demo-metrics[.]net dev[.]crisconnect[.]net m[.]brands-watch[.]com graph[.]cloud-chart[.]net hal-data[.]org stage[.]libsconnect[.]net app[.]iofrontcloud[.]com iofrontcloud[.]com alligaturetrack[.]com webflows[.]net web[.]webflows[.]net tag[.]listrakbi[.]biz api[.]abtasty[.]net cloud-chart[.]net graph[.]cloud-chart[.]net cdn[.]getambassador[.]net climpstatic[.]com stst[.]climpstatic[.]com marklibs[.]com st[.]adsrvr[.]biz cdn[.]cookieslaw[.]org clickcease[.]biz 89.108.127[.]254 89.108.127[.]16 82.202.161[.]77 89.108.116[.]123 82.202.160[.]9 89.108.116[.]48 89.108.123[.]28 89.108.109[.]167 89.108.110[.]208 50.63.202[.]56 212.109.222[.]225 82.202.160[.]8 82.202.160[.]137 192.64.119[.]156 89.108.109[.]169 82.202.160[.]10 82.202.160[.]54 82.146.50[.]89 82.202.160[.]123 82.202.160[.]119 194.67.71[.]75 77.246.157[.]133 82.146.51[.]242 89.108.127[.]57 82.202.160[.]8 185.63.188[.]84 89.108.123[.]168 77.246.157[.]133 185.63.188[.]85 82.146.51[.]202 185.63.188[.]59 89.108.123[.]169 185.63.188[.]71 89.108.127[.]16 82.202.161[.]77
