The JavaScript skimmer evades detection from static malware scanners using dynamic loading.
Payment card giant Visa recently issued a warning about a sophisticatedly designed web skimming malware that uses security tools to avoid detection.
The JavaScript skimmer dubbed ‘Baka’ was discovered in February 2020 by Visa’s Payment Fraud Disruption (PFD) group.
PFD used the eCommerce Threat Disruption capability and learned that the skimmer contained all essential features that most e-commerce skimming kits are equipped with, such as admin panel, skimming script generator, exfiltration gateway, etc.
See: Bluetana app detects gas pumps card skimmers in 3 seconds
The skimmer’s most ‘compelling components’ include its unique loader and obfuscation techniques. It dynamically loads to avoid static malware scanners while using individual encryption parameters’ for every victim to hide the malicious code.
Baka skimmer’s variant avoids detection/analysis by detaching itself from memory as soon as it identifies the probability of dynamic analysis or after it has finished exfiltrating data.
“The Baka loader works by dynamically adding a script tag to the current page. The new script tag loads a remote JavaScript file, the URL of which is stored encrypted in the loader script. The attacker can change the URL for each victim,” explained Visa.
As per Visa’s PFD, the Baka loader dynamically adds a script tag to the current page, while the new scrip tad loads a ‘remote JavaScript file.’ This file’s URL is encrypted and stored in the loader script. For every new victim, this URL can be modified by the attacker.
The researchers identified Baka while evaluating a C&C server linked with the ImageID variant. Later, PFD identified seven servers actively hosting the malware’s skimming kit.
This means the e-commerce skimmer has already affected various merchant websites worldwide. The PFD believes that a skilled developer must have created such an advanced skimming kit.
The skimming code is fetched and execute after a user visits the checkout page on a merchant’s website. Its decrypted payload is similar to the code used for dynamically loading of pages. The code skims the targeted files after every 100 milliseconds, and the attacker efficiently specifies the fields that are to be targeted for every victim. The code also checks whether the skimmer has identified any data at 100 milliseconds intervals.
If it identifies data, the exfiltration process is quickly initiated. It keeps checking every 3 seconds whether the script has to send data to the exfiltration gateway. After exfiltration, a clean-up function is executed to remove the skimming code from memory.
See: Hundreds of counterfeit branded shoe stores hacked with web skimmer
Baka also uses the XOR cipher to encrypt hard-coded values and obfuscate the skimming code that the C&C server delivers. Though XOR’s usage isn’t something new, Visa states it has observed its use in JavaScript skimming malware for the first time.
“The developer of this malware kit uses the same cipher function in the loader and the skimmer,” Visa added.
Here’s how the encrypted skimming code looks like:
Visa urged e-commerce providers to regularly scan for C&C communications, perform website scanning, and test malware and vulnerabilities. Retailers must restrict access to admin portals and mandatorily enable 2FA authentication.
The main e-commerce website must be separated from the checkout section. Additionally, they should closely inspect Content Delivery Networks and third-party codes, and patch shopping carts and web application firewalls to mitigate the newly discovered threat.
Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.
I saw this technique used with an .HTM file attachment on an email.