{
	"id": "2e8f82e7-a32f-4b93-bee1-f2f83253560a",
	"created_at": "2026-04-06T00:12:58.997642Z",
	"updated_at": "2026-04-10T03:24:11.714671Z",
	"deleted_at": null,
	"sha1_hash": "c2114f749b0013b53ac921685825a45677477733",
	"title": "Newly observed PHP-based skimmer shows ongoing Magecart Group 12 activity",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1703311,
	"plain_text": "Newly observed PHP-based skimmer shows ongoing Magecart\r\nGroup 12 activity\r\nBy Threat Intelligence Team\r\nPublished: 2021-05-12 · Archived: 2026-04-05 22:21:35 UTC\r\nThere is a lot of publicly documented material on the activities of Group 1 also known for their ‘ant and\r\ncockroach‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.\r\nDynamically loaded skimmer\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 1 of 67\n\nThere are a number of ways to load skimming code but the most common one is by calling an external JavaScript\r\nressource. When a customer visits an online store, their browser will make a request to a domain hosting the\r\nskimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these\r\nskimmers using a domain/IP database approach.\r\nIn comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request\r\nto the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a\r\ndatabase blocking approach would not work here unless all compromised stores were blacklisted, which is a\r\ncatch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the\r\nDOM in real time and detect when malicious code has been loaded.\r\nWe continue to track this campaign and other activities from Magecart Group 12. Online merchants need to ensure\r\ntheir stores are up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers\r\nplace in them. If you are shopping online it’s always good to exercize some vigilance and equip yourself with\r\nsecurity tools such as our Malwarebytes web protection and Browser Guard.\r\nReferences\r\nhttps://blog.group-ib.com/btc_changer\r\nhttps://twitter.com/unmaskparasites/status/1370579966069383168?s=20\r\nhttps://twitter.com/sansecio/status/1367404202461450244?s=20\r\nhttps://twitter.com/unmaskparasites/status/1234917686242619393?s=20\r\nhttps://community.riskiq.com/article/fda1f967\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nhttps://sansec.io/research/cardbleed\r\n/blog/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/\r\nIndicators of Compromise\r\nfacedook[.]host\r\npathc[.]space\r\npredator[.]host\r\ngoogle-statik[.]pw\r\nrecaptcha-in[.]pw\r\nsexrura[.]pw\r\nzolo[.]pw\r\nkermo[.]pw\r\npsas[.]pw\r\npathc[.]space\r\npredator[.]host\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 2 of 67\n\ngooogletagmanager[.]online\r\nimags[.]pw\r\ny5[.]ms\r\nautocapital[.]pw\r\nmyicons[.]net\r\nqr202754[.]pw\r\nthesun[.]pw\r\nredorn[.]space\r\nzeborn[.]pw\r\ngoogletagmanagr[.]com\r\nautocapital[.]pw\r\nhttp[.]ps\r\nxxx-club[.]pw\r\ny5[.]ms\r\n195[.]123[.]217[.]18\r\n217[.]12[.]204[.]185\r\n83[.]166[.]241[.]205\r\n83[.]166[.]242[.]105\r\n83[.]166[.]244[.]113\r\n83[.]166[.]244[.]152\r\n83[.]166[.]244[.]189\r\n83[.]166[.]244[.]76\r\n83[.]166[.]245[.]131\r\n83[.]166[.]246[.]34\r\n83[.]166[.]246[.]81\r\n83[.]166[.]248[.]67\r\njamal.budunoff@yandex[.]ru\r\nmuhtarpashatashanov@yandex[.]ru\r\nnikola-az@rambler[.]ru\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 3 of 67\n\nThis hints that we are possibly looking at the same threat actors then and now, which we can confirm by looking at\r\nthe infrastructure being used.\r\nMagecart Group 12 again\r\nBecause we found the favicon webshells on Magento 1.x websites we thought there might be a tie with the\r\nhacking that took place last year when exploits for the Magento 1 branch (no longer maintained) were found.\r\nRiskIQ documented these compromises and linked them with Magecart Group 12 at the time.\r\nThe newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as\r\nrecaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 4 of 67\n\nThere is a lot of publicly documented material on the activities of Group 1 also known for their ‘ant and\r\ncockroach‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.\r\nDynamically loaded skimmer\r\nThere are a number of ways to load skimming code but the most common one is by calling an external JavaScript\r\nressource. When a customer visits an online store, their browser will make a request to a domain hosting the\r\nskimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these\r\nskimmers using a domain/IP database approach.\r\nIn comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request\r\nto the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a\r\ndatabase blocking approach would not work here unless all compromised stores were blacklisted, which is a\r\ncatch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the\r\nDOM in real time and detect when malicious code has been loaded.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 5 of 67\n\nWe continue to track this campaign and other activities from Magecart Group 12. Online merchants need to ensure\r\ntheir stores are up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers\r\nplace in them. If you are shopping online it’s always good to exercize some vigilance and equip yourself with\r\nsecurity tools such as our Malwarebytes web protection and Browser Guard.\r\nReferences\r\nhttps://blog.group-ib.com/btc_changer\r\nhttps://twitter.com/unmaskparasites/status/1370579966069383168?s=20\r\nhttps://twitter.com/sansecio/status/1367404202461450244?s=20\r\nhttps://twitter.com/unmaskparasites/status/1234917686242619393?s=20\r\nhttps://community.riskiq.com/article/fda1f967\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nhttps://sansec.io/research/cardbleed\r\n/blog/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/\r\nIndicators of Compromise\r\nfacedook[.]host\r\npathc[.]space\r\npredator[.]host\r\ngoogle-statik[.]pw\r\nrecaptcha-in[.]pw\r\nsexrura[.]pw\r\nzolo[.]pw\r\nkermo[.]pw\r\npsas[.]pw\r\npathc[.]space\r\npredator[.]host\r\ngooogletagmanager[.]online\r\nimags[.]pw\r\ny5[.]ms\r\nautocapital[.]pw\r\nmyicons[.]net\r\nqr202754[.]pw\r\nthesun[.]pw\r\nredorn[.]space\r\nzeborn[.]pw\r\ngoogletagmanagr[.]com\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 6 of 67\n\nautocapital[.]pw\r\nhttp[.]ps\r\nxxx-club[.]pw\r\ny5[.]ms\r\n195[.]123[.]217[.]18\r\n217[.]12[.]204[.]185\r\n83[.]166[.]241[.]205\r\n83[.]166[.]242[.]105\r\n83[.]166[.]244[.]113\r\n83[.]166[.]244[.]152\r\n83[.]166[.]244[.]189\r\n83[.]166[.]244[.]76\r\n83[.]166[.]245[.]131\r\n83[.]166[.]246[.]34\r\n83[.]166[.]246[.]81\r\n83[.]166[.]248[.]67\r\njamal.budunoff@yandex[.]ru\r\nmuhtarpashatashanov@yandex[.]ru\r\nnikola-az@rambler[.]ru\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 7 of 67\n\nThat same path/filename was previously mentioned by SanSec during the Magento 1 EOL hacking spree:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 8 of 67\n\nThis hints that we are possibly looking at the same threat actors then and now, which we can confirm by looking at\r\nthe infrastructure being used.\r\nMagecart Group 12 again\r\nBecause we found the favicon webshells on Magento 1.x websites we thought there might be a tie with the\r\nhacking that took place last year when exploits for the Magento 1 branch (no longer maintained) were found.\r\nRiskIQ documented these compromises and linked them with Magecart Group 12 at the time.\r\nThe newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as\r\nrecaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 9 of 67\n\nThere is a lot of publicly documented material on the activities of Group 1 also known for their ‘ant and\r\ncockroach‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.\r\nDynamically loaded skimmer\r\nThere are a number of ways to load skimming code but the most common one is by calling an external JavaScript\r\nressource. When a customer visits an online store, their browser will make a request to a domain hosting the\r\nskimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these\r\nskimmers using a domain/IP database approach.\r\nIn comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request\r\nto the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a\r\ndatabase blocking approach would not work here unless all compromised stores were blacklisted, which is a\r\ncatch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the\r\nDOM in real time and detect when malicious code has been loaded.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 10 of 67\n\nWe continue to track this campaign and other activities from Magecart Group 12. Online merchants need to ensure\r\ntheir stores are up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers\r\nplace in them. If you are shopping online it’s always good to exercize some vigilance and equip yourself with\r\nsecurity tools such as our Malwarebytes web protection and Browser Guard.\r\nReferences\r\nhttps://blog.group-ib.com/btc_changer\r\nhttps://twitter.com/unmaskparasites/status/1370579966069383168?s=20\r\nhttps://twitter.com/sansecio/status/1367404202461450244?s=20\r\nhttps://twitter.com/unmaskparasites/status/1234917686242619393?s=20\r\nhttps://community.riskiq.com/article/fda1f967\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nhttps://sansec.io/research/cardbleed\r\n/blog/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/\r\nIndicators of Compromise\r\nfacedook[.]host\r\npathc[.]space\r\npredator[.]host\r\ngoogle-statik[.]pw\r\nrecaptcha-in[.]pw\r\nsexrura[.]pw\r\nzolo[.]pw\r\nkermo[.]pw\r\npsas[.]pw\r\npathc[.]space\r\npredator[.]host\r\ngooogletagmanager[.]online\r\nimags[.]pw\r\ny5[.]ms\r\nautocapital[.]pw\r\nmyicons[.]net\r\nqr202754[.]pw\r\nthesun[.]pw\r\nredorn[.]space\r\nzeborn[.]pw\r\ngoogletagmanagr[.]com\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 11 of 67\n\nautocapital[.]pw\r\nhttp[.]ps\r\nxxx-club[.]pw\r\ny5[.]ms\r\n195[.]123[.]217[.]18\r\n217[.]12[.]204[.]185\r\n83[.]166[.]241[.]205\r\n83[.]166[.]242[.]105\r\n83[.]166[.]244[.]113\r\n83[.]166[.]244[.]152\r\n83[.]166[.]244[.]189\r\n83[.]166[.]244[.]76\r\n83[.]166[.]245[.]131\r\n83[.]166[.]246[.]34\r\n83[.]166[.]246[.]81\r\n83[.]166[.]248[.]67\r\njamal.budunoff@yandex[.]ru\r\nmuhtarpashatashanov@yandex[.]ru\r\nnikola-az@rambler[.]ru\r\nA similar PHP file (Mage.php) was reported by SanSec as well:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 12 of 67\n\nThat same path/filename was previously mentioned by SanSec during the Magento 1 EOL hacking spree:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 13 of 67\n\nThis hints that we are possibly looking at the same threat actors then and now, which we can confirm by looking at\r\nthe infrastructure being used.\r\nMagecart Group 12 again\r\nBecause we found the favicon webshells on Magento 1.x websites we thought there might be a tie with the\r\nhacking that took place last year when exploits for the Magento 1 branch (no longer maintained) were found.\r\nRiskIQ documented these compromises and linked them with Magecart Group 12 at the time.\r\nThe newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as\r\nrecaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 14 of 67\n\nThere is a lot of publicly documented material on the activities of Group 1 also known for their ‘ant and\r\ncockroach‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.\r\nDynamically loaded skimmer\r\nThere are a number of ways to load skimming code but the most common one is by calling an external JavaScript\r\nressource. When a customer visits an online store, their browser will make a request to a domain hosting the\r\nskimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these\r\nskimmers using a domain/IP database approach.\r\nIn comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request\r\nto the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a\r\ndatabase blocking approach would not work here unless all compromised stores were blacklisted, which is a\r\ncatch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the\r\nDOM in real time and detect when malicious code has been loaded.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 15 of 67\n\nWe continue to track this campaign and other activities from Magecart Group 12. Online merchants need to ensure\r\ntheir stores are up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers\r\nplace in them. If you are shopping online it’s always good to exercize some vigilance and equip yourself with\r\nsecurity tools such as our Malwarebytes web protection and Browser Guard.\r\nReferences\r\nhttps://blog.group-ib.com/btc_changer\r\nhttps://twitter.com/unmaskparasites/status/1370579966069383168?s=20\r\nhttps://twitter.com/sansecio/status/1367404202461450244?s=20\r\nhttps://twitter.com/unmaskparasites/status/1234917686242619393?s=20\r\nhttps://community.riskiq.com/article/fda1f967\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nhttps://sansec.io/research/cardbleed\r\n/blog/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/\r\nIndicators of Compromise\r\nfacedook[.]host\r\npathc[.]space\r\npredator[.]host\r\ngoogle-statik[.]pw\r\nrecaptcha-in[.]pw\r\nsexrura[.]pw\r\nzolo[.]pw\r\nkermo[.]pw\r\npsas[.]pw\r\npathc[.]space\r\npredator[.]host\r\ngooogletagmanager[.]online\r\nimags[.]pw\r\ny5[.]ms\r\nautocapital[.]pw\r\nmyicons[.]net\r\nqr202754[.]pw\r\nthesun[.]pw\r\nredorn[.]space\r\nzeborn[.]pw\r\ngoogletagmanagr[.]com\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 16 of 67\n\nautocapital[.]pw\r\nhttp[.]ps\r\nxxx-club[.]pw\r\ny5[.]ms\r\n195[.]123[.]217[.]18\r\n217[.]12[.]204[.]185\r\n83[.]166[.]241[.]205\r\n83[.]166[.]242[.]105\r\n83[.]166[.]244[.]113\r\n83[.]166[.]244[.]152\r\n83[.]166[.]244[.]189\r\n83[.]166[.]244[.]76\r\n83[.]166[.]245[.]131\r\n83[.]166[.]246[.]34\r\n83[.]166[.]246[.]81\r\n83[.]166[.]248[.]67\r\njamal.budunoff@yandex[.]ru\r\nmuhtarpashatashanov@yandex[.]ru\r\nnikola-az@rambler[.]ru\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 17 of 67\n\nThe data exfiltration part matches what researcher Denis @unmaskparasites had found back in March on\r\nWordPress sites (Smilodon malware) which also steals user credentials:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 18 of 67\n\nA similar PHP file (Mage.php) was reported by SanSec as well:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 19 of 67\n\nThat same path/filename was previously mentioned by SanSec during the Magento 1 EOL hacking spree:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 20 of 67\n\nThis hints that we are possibly looking at the same threat actors then and now, which we can confirm by looking at\r\nthe infrastructure being used.\r\nMagecart Group 12 again\r\nBecause we found the favicon webshells on Magento 1.x websites we thought there might be a tie with the\r\nhacking that took place last year when exploits for the Magento 1 branch (no longer maintained) were found.\r\nRiskIQ documented these compromises and linked them with Magecart Group 12 at the time.\r\nThe newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as\r\nrecaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 21 of 67\n\nThere is a lot of publicly documented material on the activities of Group 1 also known for their ‘ant and\r\ncockroach‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.\r\nDynamically loaded skimmer\r\nThere are a number of ways to load skimming code but the most common one is by calling an external JavaScript\r\nressource. When a customer visits an online store, their browser will make a request to a domain hosting the\r\nskimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these\r\nskimmers using a domain/IP database approach.\r\nIn comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request\r\nto the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a\r\ndatabase blocking approach would not work here unless all compromised stores were blacklisted, which is a\r\ncatch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the\r\nDOM in real time and detect when malicious code has been loaded.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 22 of 67\n\nWe continue to track this campaign and other activities from Magecart Group 12. Online merchants need to ensure\r\ntheir stores are up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers\r\nplace in them. If you are shopping online it’s always good to exercize some vigilance and equip yourself with\r\nsecurity tools such as our Malwarebytes web protection and Browser Guard.\r\nReferences\r\nhttps://blog.group-ib.com/btc_changer\r\nhttps://twitter.com/unmaskparasites/status/1370579966069383168?s=20\r\nhttps://twitter.com/sansecio/status/1367404202461450244?s=20\r\nhttps://twitter.com/unmaskparasites/status/1234917686242619393?s=20\r\nhttps://community.riskiq.com/article/fda1f967\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nhttps://sansec.io/research/cardbleed\r\n/blog/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/\r\nIndicators of Compromise\r\nfacedook[.]host\r\npathc[.]space\r\npredator[.]host\r\ngoogle-statik[.]pw\r\nrecaptcha-in[.]pw\r\nsexrura[.]pw\r\nzolo[.]pw\r\nkermo[.]pw\r\npsas[.]pw\r\npathc[.]space\r\npredator[.]host\r\ngooogletagmanager[.]online\r\nimags[.]pw\r\ny5[.]ms\r\nautocapital[.]pw\r\nmyicons[.]net\r\nqr202754[.]pw\r\nthesun[.]pw\r\nredorn[.]space\r\nzeborn[.]pw\r\ngoogletagmanagr[.]com\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 23 of 67\n\nautocapital[.]pw\r\nhttp[.]ps\r\nxxx-club[.]pw\r\ny5[.]ms\r\n195[.]123[.]217[.]18\r\n217[.]12[.]204[.]185\r\n83[.]166[.]241[.]205\r\n83[.]166[.]242[.]105\r\n83[.]166[.]244[.]113\r\n83[.]166[.]244[.]152\r\n83[.]166[.]244[.]189\r\n83[.]166[.]244[.]76\r\n83[.]166[.]245[.]131\r\n83[.]166[.]246[.]34\r\n83[.]166[.]246[.]81\r\n83[.]166[.]248[.]67\r\njamal.budunoff@yandex[.]ru\r\nmuhtarpashatashanov@yandex[.]ru\r\nnikola-az@rambler[.]ru\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 24 of 67\n\nThe data exfiltration part matches what researcher Denis @unmaskparasites had found back in March on\r\nWordPress sites (Smilodon malware) which also steals user credentials:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 25 of 67\n\nA similar PHP file (Mage.php) was reported by SanSec as well:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 26 of 67\n\nThat same path/filename was previously mentioned by SanSec during the Magento 1 EOL hacking spree:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 27 of 67\n\nThis hints that we are possibly looking at the same threat actors then and now, which we can confirm by looking at\r\nthe infrastructure being used.\r\nMagecart Group 12 again\r\nBecause we found the favicon webshells on Magento 1.x websites we thought there might be a tie with the\r\nhacking that took place last year when exploits for the Magento 1 branch (no longer maintained) were found.\r\nRiskIQ documented these compromises and linked them with Magecart Group 12 at the time.\r\nThe newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as\r\nrecaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 28 of 67\n\nThere is a lot of publicly documented material on the activities of Group 1 also known for their ‘ant and\r\ncockroach‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.\r\nDynamically loaded skimmer\r\nThere are a number of ways to load skimming code but the most common one is by calling an external JavaScript\r\nressource. When a customer visits an online store, their browser will make a request to a domain hosting the\r\nskimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these\r\nskimmers using a domain/IP database approach.\r\nIn comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request\r\nto the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a\r\ndatabase blocking approach would not work here unless all compromised stores were blacklisted, which is a\r\ncatch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the\r\nDOM in real time and detect when malicious code has been loaded.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 29 of 67\n\nWe continue to track this campaign and other activities from Magecart Group 12. Online merchants need to ensure\r\ntheir stores are up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers\r\nplace in them. If you are shopping online it’s always good to exercize some vigilance and equip yourself with\r\nsecurity tools such as our Malwarebytes web protection and Browser Guard.\r\nReferences\r\nhttps://blog.group-ib.com/btc_changer\r\nhttps://twitter.com/unmaskparasites/status/1370579966069383168?s=20\r\nhttps://twitter.com/sansecio/status/1367404202461450244?s=20\r\nhttps://twitter.com/unmaskparasites/status/1234917686242619393?s=20\r\nhttps://community.riskiq.com/article/fda1f967\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nhttps://sansec.io/research/cardbleed\r\n/blog/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/\r\nIndicators of Compromise\r\nfacedook[.]host\r\npathc[.]space\r\npredator[.]host\r\ngoogle-statik[.]pw\r\nrecaptcha-in[.]pw\r\nsexrura[.]pw\r\nzolo[.]pw\r\nkermo[.]pw\r\npsas[.]pw\r\npathc[.]space\r\npredator[.]host\r\ngooogletagmanager[.]online\r\nimags[.]pw\r\ny5[.]ms\r\nautocapital[.]pw\r\nmyicons[.]net\r\nqr202754[.]pw\r\nthesun[.]pw\r\nredorn[.]space\r\nzeborn[.]pw\r\ngoogletagmanagr[.]com\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 30 of 67\n\nautocapital[.]pw\r\nhttp[.]ps\r\nxxx-club[.]pw\r\ny5[.]ms\r\n195[.]123[.]217[.]18\r\n217[.]12[.]204[.]185\r\n83[.]166[.]241[.]205\r\n83[.]166[.]242[.]105\r\n83[.]166[.]244[.]113\r\n83[.]166[.]244[.]152\r\n83[.]166[.]244[.]189\r\n83[.]166[.]244[.]76\r\n83[.]166[.]245[.]131\r\n83[.]166[.]246[.]34\r\n83[.]166[.]246[.]81\r\n83[.]166[.]248[.]67\r\njamal.budunoff@yandex[.]ru\r\nmuhtarpashatashanov@yandex[.]ru\r\nnikola-az@rambler[.]ru\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 31 of 67\n\nFurther looking into the m1_2021_force directory reveals additional code very specific to credit card skimming.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 32 of 67\n\nThe data exfiltration part matches what researcher Denis @unmaskparasites had found back in March on\r\nWordPress sites (Smilodon malware) which also steals user credentials:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 33 of 67\n\nA similar PHP file (Mage.php) was reported by SanSec as well:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 34 of 67\n\nThat same path/filename was previously mentioned by SanSec during the Magento 1 EOL hacking spree:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 35 of 67\n\nThis hints that we are possibly looking at the same threat actors then and now, which we can confirm by looking at\r\nthe infrastructure being used.\r\nMagecart Group 12 again\r\nBecause we found the favicon webshells on Magento 1.x websites we thought there might be a tie with the\r\nhacking that took place last year when exploits for the Magento 1 branch (no longer maintained) were found.\r\nRiskIQ documented these compromises and linked them with Magecart Group 12 at the time.\r\nThe newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as\r\nrecaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 36 of 67\n\nThere is a lot of publicly documented material on the activities of Group 1 also known for their ‘ant and\r\ncockroach‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.\r\nDynamically loaded skimmer\r\nThere are a number of ways to load skimming code but the most common one is by calling an external JavaScript\r\nressource. When a customer visits an online store, their browser will make a request to a domain hosting the\r\nskimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these\r\nskimmers using a domain/IP database approach.\r\nIn comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request\r\nto the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a\r\ndatabase blocking approach would not work here unless all compromised stores were blacklisted, which is a\r\ncatch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the\r\nDOM in real time and detect when malicious code has been loaded.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 37 of 67\n\nWe continue to track this campaign and other activities from Magecart Group 12. Online merchants need to ensure\r\ntheir stores are up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers\r\nplace in them. If you are shopping online it’s always good to exercize some vigilance and equip yourself with\r\nsecurity tools such as our Malwarebytes web protection and Browser Guard.\r\nReferences\r\nhttps://blog.group-ib.com/btc_changer\r\nhttps://twitter.com/unmaskparasites/status/1370579966069383168?s=20\r\nhttps://twitter.com/sansecio/status/1367404202461450244?s=20\r\nhttps://twitter.com/unmaskparasites/status/1234917686242619393?s=20\r\nhttps://community.riskiq.com/article/fda1f967\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nhttps://sansec.io/research/cardbleed\r\n/blog/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/\r\nIndicators of Compromise\r\nfacedook[.]host\r\npathc[.]space\r\npredator[.]host\r\ngoogle-statik[.]pw\r\nrecaptcha-in[.]pw\r\nsexrura[.]pw\r\nzolo[.]pw\r\nkermo[.]pw\r\npsas[.]pw\r\npathc[.]space\r\npredator[.]host\r\ngooogletagmanager[.]online\r\nimags[.]pw\r\ny5[.]ms\r\nautocapital[.]pw\r\nmyicons[.]net\r\nqr202754[.]pw\r\nthesun[.]pw\r\nredorn[.]space\r\nzeborn[.]pw\r\ngoogletagmanagr[.]com\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 38 of 67\n\nautocapital[.]pw\r\nhttp[.]ps\r\nxxx-club[.]pw\r\ny5[.]ms\r\n195[.]123[.]217[.]18\r\n217[.]12[.]204[.]185\r\n83[.]166[.]241[.]205\r\n83[.]166[.]242[.]105\r\n83[.]166[.]244[.]113\r\n83[.]166[.]244[.]152\r\n83[.]166[.]244[.]189\r\n83[.]166[.]244[.]76\r\n83[.]166[.]245[.]131\r\n83[.]166[.]246[.]34\r\n83[.]166[.]246[.]81\r\n83[.]166[.]248[.]67\r\njamal.budunoff@yandex[.]ru\r\nmuhtarpashatashanov@yandex[.]ru\r\nnikola-az@rambler[.]ru\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 39 of 67\n\nWeb shells are a very popular type of malware encountered on websites that allow an attacker to maintain remote\r\naccess and administration. They are typically uploaded onto a web server after exploitation of a vulnerability (i.e.\r\nSQL injection).\r\nTo better understand what this webshell is meant to do, we can decode the reverse Base64 encoded blurb. We see\r\nthat it retrieves data from an external host at zolo[.]pw.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 40 of 67\n\nFurther looking into the m1_2021_force directory reveals additional code very specific to credit card skimming.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 41 of 67\n\nThe data exfiltration part matches what researcher Denis @unmaskparasites had found back in March on\r\nWordPress sites (Smilodon malware) which also steals user credentials:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 42 of 67\n\nA similar PHP file (Mage.php) was reported by SanSec as well:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 43 of 67\n\nThat same path/filename was previously mentioned by SanSec during the Magento 1 EOL hacking spree:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 44 of 67\n\nThis hints that we are possibly looking at the same threat actors then and now, which we can confirm by looking at\r\nthe infrastructure being used.\r\nMagecart Group 12 again\r\nBecause we found the favicon webshells on Magento 1.x websites we thought there might be a tie with the\r\nhacking that took place last year when exploits for the Magento 1 branch (no longer maintained) were found.\r\nRiskIQ documented these compromises and linked them with Magecart Group 12 at the time.\r\nThe newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as\r\nrecaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 45 of 67\n\nThere is a lot of publicly documented material on the activities of Group 1 also known for their ‘ant and\r\ncockroach‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.\r\nDynamically loaded skimmer\r\nThere are a number of ways to load skimming code but the most common one is by calling an external JavaScript\r\nressource. When a customer visits an online store, their browser will make a request to a domain hosting the\r\nskimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these\r\nskimmers using a domain/IP database approach.\r\nIn comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request\r\nto the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a\r\ndatabase blocking approach would not work here unless all compromised stores were blacklisted, which is a\r\ncatch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the\r\nDOM in real time and detect when malicious code has been loaded.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 46 of 67\n\nWe continue to track this campaign and other activities from Magecart Group 12. Online merchants need to ensure\r\ntheir stores are up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers\r\nplace in them. If you are shopping online it’s always good to exercize some vigilance and equip yourself with\r\nsecurity tools such as our Malwarebytes web protection and Browser Guard.\r\nReferences\r\nhttps://blog.group-ib.com/btc_changer\r\nhttps://twitter.com/unmaskparasites/status/1370579966069383168?s=20\r\nhttps://twitter.com/sansecio/status/1367404202461450244?s=20\r\nhttps://twitter.com/unmaskparasites/status/1234917686242619393?s=20\r\nhttps://community.riskiq.com/article/fda1f967\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nhttps://sansec.io/research/cardbleed\r\n/blog/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/\r\nIndicators of Compromise\r\nfacedook[.]host\r\npathc[.]space\r\npredator[.]host\r\ngoogle-statik[.]pw\r\nrecaptcha-in[.]pw\r\nsexrura[.]pw\r\nzolo[.]pw\r\nkermo[.]pw\r\npsas[.]pw\r\npathc[.]space\r\npredator[.]host\r\ngooogletagmanager[.]online\r\nimags[.]pw\r\ny5[.]ms\r\nautocapital[.]pw\r\nmyicons[.]net\r\nqr202754[.]pw\r\nthesun[.]pw\r\nredorn[.]space\r\nzeborn[.]pw\r\ngoogletagmanagr[.]com\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 47 of 67\n\nautocapital[.]pw\r\nhttp[.]ps\r\nxxx-club[.]pw\r\ny5[.]ms\r\n195[.]123[.]217[.]18\r\n217[.]12[.]204[.]185\r\n83[.]166[.]241[.]205\r\n83[.]166[.]242[.]105\r\n83[.]166[.]244[.]113\r\n83[.]166[.]244[.]152\r\n83[.]166[.]244[.]189\r\n83[.]166[.]244[.]76\r\n83[.]166[.]245[.]131\r\n83[.]166[.]246[.]34\r\n83[.]166[.]246[.]81\r\n83[.]166[.]248[.]67\r\njamal.budunoff@yandex[.]ru\r\nmuhtarpashatashanov@yandex[.]ru\r\nnikola-az@rambler[.]ru\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 48 of 67\n\nThe way it is injected in compromised sites is by replacing the legitimate shortcut icon tags with a path to the fake\r\nPNG file. Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this\r\nturned out to be a PHP web shell. However, in its current implementation this PHP script won’t be loaded\r\nproperly.\r\nWeb shells are a very popular type of malware encountered on websites that allow an attacker to maintain remote\r\naccess and administration. They are typically uploaded onto a web server after exploitation of a vulnerability (i.e.\r\nSQL injection).\r\nTo better understand what this webshell is meant to do, we can decode the reverse Base64 encoded blurb. We see\r\nthat it retrieves data from an external host at zolo[.]pw.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 49 of 67\n\nFurther looking into the m1_2021_force directory reveals additional code very specific to credit card skimming.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 50 of 67\n\nThe data exfiltration part matches what researcher Denis @unmaskparasites had found back in March on\r\nWordPress sites (Smilodon malware) which also steals user credentials:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 51 of 67\n\nA similar PHP file (Mage.php) was reported by SanSec as well:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 52 of 67\n\nThat same path/filename was previously mentioned by SanSec during the Magento 1 EOL hacking spree:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 53 of 67\n\nThis hints that we are possibly looking at the same threat actors then and now, which we can confirm by looking at\r\nthe infrastructure being used.\r\nMagecart Group 12 again\r\nBecause we found the favicon webshells on Magento 1.x websites we thought there might be a tie with the\r\nhacking that took place last year when exploits for the Magento 1 branch (no longer maintained) were found.\r\nRiskIQ documented these compromises and linked them with Magecart Group 12 at the time.\r\nThe newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as\r\nrecaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 54 of 67\n\nThere is a lot of publicly documented material on the activities of Group 1 also known for their ‘ant and\r\ncockroach‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.\r\nDynamically loaded skimmer\r\nThere are a number of ways to load skimming code but the most common one is by calling an external JavaScript\r\nressource. When a customer visits an online store, their browser will make a request to a domain hosting the\r\nskimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these\r\nskimmers using a domain/IP database approach.\r\nIn comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request\r\nto the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a\r\ndatabase blocking approach would not work here unless all compromised stores were blacklisted, which is a\r\ncatch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the\r\nDOM in real time and detect when malicious code has been loaded.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 55 of 67\n\nWe continue to track this campaign and other activities from Magecart Group 12. Online merchants need to ensure\r\ntheir stores are up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers\r\nplace in them. If you are shopping online it’s always good to exercize some vigilance and equip yourself with\r\nsecurity tools such as our Malwarebytes web protection and Browser Guard.\r\nReferences\r\nhttps://blog.group-ib.com/btc_changer\r\nhttps://twitter.com/unmaskparasites/status/1370579966069383168?s=20\r\nhttps://twitter.com/sansecio/status/1367404202461450244?s=20\r\nhttps://twitter.com/unmaskparasites/status/1234917686242619393?s=20\r\nhttps://community.riskiq.com/article/fda1f967\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nhttps://sansec.io/research/cardbleed\r\n/blog/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/\r\nIndicators of Compromise\r\nfacedook[.]host\r\npathc[.]space\r\npredator[.]host\r\ngoogle-statik[.]pw\r\nrecaptcha-in[.]pw\r\nsexrura[.]pw\r\nzolo[.]pw\r\nkermo[.]pw\r\npsas[.]pw\r\npathc[.]space\r\npredator[.]host\r\ngooogletagmanager[.]online\r\nimags[.]pw\r\ny5[.]ms\r\nautocapital[.]pw\r\nmyicons[.]net\r\nqr202754[.]pw\r\nthesun[.]pw\r\nredorn[.]space\r\nzeborn[.]pw\r\ngoogletagmanagr[.]com\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 56 of 67\n\nautocapital[.]pw\r\nhttp[.]ps\r\nxxx-club[.]pw\r\ny5[.]ms\r\n195[.]123[.]217[.]18\r\n217[.]12[.]204[.]185\r\n83[.]166[.]241[.]205\r\n83[.]166[.]242[.]105\r\n83[.]166[.]244[.]113\r\n83[.]166[.]244[.]152\r\n83[.]166[.]244[.]189\r\n83[.]166[.]244[.]76\r\n83[.]166[.]245[.]131\r\n83[.]166[.]246[.]34\r\n83[.]166[.]246[.]81\r\n83[.]166[.]248[.]67\r\njamal.budunoff@yandex[.]ru\r\nmuhtarpashatashanov@yandex[.]ru\r\nnikola-az@rambler[.]ru\r\nThis blog post was authored by Jérôme Segura\r\nWeb skimming continues to be a real and impactful threat to online merchants and shoppers. The threat actors in\r\nthis space greatly range in sophistication from amateurs all the way to nation state groups like Lazarus.\r\nIn terms of security, many e-commerce shops remain vulnerable because they have not upgraded their content\r\nmanagement software (CMS) in years. The campaign we are looking at today is about a number of Magento 1\r\nwebsites that have been compromised by a very active skimmer group.\r\nWe believe that Magecart Group 12, identified as being behind the Magento 1 hacking spree last fall, continues to\r\ndistribute new malware that was observed by security researchers recently. These web shells known as Smilodon\r\nor Megalodon are used to dynamically load JavaScript skimming code via server-side requests into online stores.\r\nThis technique is interesting as most client-side security tools will not be able to detect or block the skimmer.\r\nWeb shell hidden as favicon\r\nWhile performing a crawl of Magento 1 websites, we detected a new piece of malware disguised as a favicon. The\r\nfile named Magento.png attempts to pass itself as ‘image/png’ but does not have the proper PNG format for a\r\nvalid image file.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 57 of 67\n\nThe way it is injected in compromised sites is by replacing the legitimate shortcut icon tags with a path to the fake\r\nPNG file. Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this\r\nturned out to be a PHP web shell. However, in its current implementation this PHP script won’t be loaded\r\nproperly.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 58 of 67\n\nWeb shells are a very popular type of malware encountered on websites that allow an attacker to maintain remote\r\naccess and administration. They are typically uploaded onto a web server after exploitation of a vulnerability (i.e.\r\nSQL injection).\r\nTo better understand what this webshell is meant to do, we can decode the reverse Base64 encoded blurb. We see\r\nthat it retrieves data from an external host at zolo[.]pw.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 59 of 67\n\nFurther looking into the m1_2021_force directory reveals additional code very specific to credit card skimming.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 60 of 67\n\nThe data exfiltration part matches what researcher Denis @unmaskparasites had found back in March on\r\nWordPress sites (Smilodon malware) which also steals user credentials:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 61 of 67\n\nA similar PHP file (Mage.php) was reported by SanSec as well:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 62 of 67\n\nThat same path/filename was previously mentioned by SanSec during the Magento 1 EOL hacking spree:\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 63 of 67\n\nThis hints that we are possibly looking at the same threat actors then and now, which we can confirm by looking at\r\nthe infrastructure being used.\r\nMagecart Group 12 again\r\nBecause we found the favicon webshells on Magento 1.x websites we thought there might be a tie with the\r\nhacking that took place last year when exploits for the Magento 1 branch (no longer maintained) were found.\r\nRiskIQ documented these compromises and linked them with Magecart Group 12 at the time.\r\nThe newest domain name we found (zolo[.]pw) happens to be hosted on the same IP address (217.12.204[.]185) as\r\nrecaptcha-in[.]pw and google-statik[.]pw, domains previously associated with Magecart Group 12.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 64 of 67\n\nThere is a lot of publicly documented material on the activities of Group 1 also known for their ‘ant and\r\ncockroach‘ skimmer, their decoy CloudFlare library or their abuse of favicon files.\r\nDynamically loaded skimmer\r\nThere are a number of ways to load skimming code but the most common one is by calling an external JavaScript\r\nressource. When a customer visits an online store, their browser will make a request to a domain hosting the\r\nskimmer. Although criminals will constantly expand on their infrastructure it is relatively easy to block these\r\nskimmers using a domain/IP database approach.\r\nIn comparison, the skimmer we showed in this blog dynamically injects code into the merchant site. The request\r\nto the malicious domain hosting the skimming code is not made client-side but server-side instead. As such a\r\ndatabase blocking approach would not work here unless all compromised stores were blacklisted, which is a\r\ncatch-22 situation. A more effective, but also more complex and prone to false positives approach, is to inspect the\r\nDOM in real time and detect when malicious code has been loaded.\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 65 of 67\n\nWe continue to track this campaign and other activities from Magecart Group 12. Online merchants need to ensure\r\ntheir stores are up-to-date and hardened, not only to pass PCI standards but also to maintain the trust shoppers\r\nplace in them. If you are shopping online it’s always good to exercize some vigilance and equip yourself with\r\nsecurity tools such as our Malwarebytes web protection and Browser Guard.\r\nReferences\r\nhttps://blog.group-ib.com/btc_changer\r\nhttps://twitter.com/unmaskparasites/status/1370579966069383168?s=20\r\nhttps://twitter.com/sansecio/status/1367404202461450244?s=20\r\nhttps://twitter.com/unmaskparasites/status/1234917686242619393?s=20\r\nhttps://community.riskiq.com/article/fda1f967\r\nhttps://blog.sucuri.net/2020/04/web-skimmer-with-a-domain-name-generator.html\r\nhttps://sansec.io/research/cardbleed\r\n/blog/threat-analysis/2020/05/credit-card-skimmer-masquerades-as-favicon/\r\nIndicators of Compromise\r\nfacedook[.]host\r\npathc[.]space\r\npredator[.]host\r\ngoogle-statik[.]pw\r\nrecaptcha-in[.]pw\r\nsexrura[.]pw\r\nzolo[.]pw\r\nkermo[.]pw\r\npsas[.]pw\r\npathc[.]space\r\npredator[.]host\r\ngooogletagmanager[.]online\r\nimags[.]pw\r\ny5[.]ms\r\nautocapital[.]pw\r\nmyicons[.]net\r\nqr202754[.]pw\r\nthesun[.]pw\r\nredorn[.]space\r\nzeborn[.]pw\r\ngoogletagmanagr[.]com\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 66 of 67\n\nautocapital[.]pw\r\nhttp[.]ps\r\nxxx-club[.]pw\r\ny5[.]ms\r\n195[.]123[.]217[.]18\r\n217[.]12[.]204[.]185\r\n83[.]166[.]241[.]205\r\n83[.]166[.]242[.]105\r\n83[.]166[.]244[.]113\r\n83[.]166[.]244[.]152\r\n83[.]166[.]244[.]189\r\n83[.]166[.]244[.]76\r\n83[.]166[.]245[.]131\r\n83[.]166[.]246[.]34\r\n83[.]166[.]246[.]81\r\n83[.]166[.]248[.]67\r\njamal.budunoff@yandex[.]ru\r\nmuhtarpashatashanov@yandex[.]ru\r\nnikola-az@rambler[.]ru\r\nSource: https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nhttps://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/\r\nPage 67 of 67",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/"
	],
	"report_names": [
		"newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity"
	],
	"threat_actors": [
		{
			"id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed",
			"created_at": "2023-01-06T13:46:38.814104Z",
			"updated_at": "2026-04-10T02:00:03.110104Z",
			"deleted_at": null,
			"main_name": "MageCart",
			"aliases": [],
			"source_name": "MISPGALAXY:MageCart",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434378,
	"ts_updated_at": 1775791451,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/c2114f749b0013b53ac921685825a45677477733.pdf",
		"text": "https://archive.orkl.eu/c2114f749b0013b53ac921685825a45677477733.txt",
		"img": "https://archive.orkl.eu/c2114f749b0013b53ac921685825a45677477733.jpg"
	}
}