{ "id": "ec5423be-5cd8-454f-b5bc-92438f10b8c0", "created_at": "2026-04-06T01:30:58.963047Z", "updated_at": "2026-04-10T03:24:11.822541Z", "deleted_at": null, "sha1_hash": "fb2e2eeef9452e2b2fe7ea64590201d50d1dee41", "title": "Credit card skimmer evades Virtual Machines", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 345336, "plain_text": "Credit card skimmer evades Virtual Machines\r\nBy Threat Intelligence Team\r\nPublished: 2021-11-02 · Archived: 2026-04-06 00:41:59 UTC\r\nThis blog post was authored by Jérôme Segura\r\nThere are many techniques threat actors use to slow down analysis or, even better, evade detection. Perhaps the\r\nmost popular method is to detect virtual machines commonly used by security researchers and sandboxing\r\nsolutions.\r\nReverse engineers are accustomed to encountering code snippets that check certain registry keys, looking for\r\nspecific values indicating the presence of VMware or Virtual Box, two of the most popular pieces of virtualization\r\nsoftware. Many malware families incorporate these anti-vm features, usually as a first layer.\r\nFor web threats, it is more rare to see detection of virtual machines via the browser. Typically threat actors are\r\ncontent with filtering targets based on geolocation and user-agent strings. But that feature does exist in modern\r\nbrowsers and can be quite effective.\r\nIn this blog post we show how a Magecart threat actor distributing a digital skimmer is avoiding researchers and\r\npossibly sandboxes by ensuring users are running genuine computers and not virtual ones.\r\nVirtual Machine detection\r\nOur investigation started by looking at a newly reported domain that could possibly be related to Magecart.\r\nSuspicious JavaScript is being loaded alongside an image of payment methods. Note that browsing directly to the\r\nURL will return a decoy Angular library.\r\nThere is one interesting function within this skimmer script that uses the WebGL JavaScript API to gather\r\ninformation about the user’s machine. We can see that it identifies the graphics renderer and returns its name.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/\r\nPage 1 of 5\n\nFor many Virtual Machines, the graphics card driver will be a software renderer fallback from the hardware\r\n(GPU) renderer. Alternatively, it could be supported by the virtualization software but still leak its name.\r\nWe notice that the skimmer is checking for the presence of the words swiftshader, llvmpipe and virtualbox.\r\nGoogle Chrome uses SwiftShader while Firefox relies on llvmpipe as its renderer fallback.\r\nBy performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real\r\nvictims to be targeted by the skimmer.\r\nData exfiltration\r\nIf the machine passes the check, the personal data exfiltration process can take place normally. The skimmer\r\nscrapes a number of fields including the customer’s name, address, email and phone number as well as their credit\r\ncard data.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/\r\nPage 2 of 5\n\nIt also collects any password (many online stores allow customers to register an account), the browser’s user-agent\r\nand a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/\r\nPage 3 of 5\n\nEvasion and defenders\r\nThis is not surprising to see such evasion techniques being adopted by criminals, however it shows that as we get\r\nbetter at detecting and reporting attacks, threat actors also evolve their code eventually. This is a natural trade-off\r\nthat we must expect.\r\nIn addition to code obfuscation, anti-debugger tricks and now anti-vm checks, defenders will have to spend more\r\ntime to identify and protect against those attacks or at least come up with effective countermeasures.\r\nMalwarebytes users are protected against this campaign:\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/\r\nPage 4 of 5\n\nIndicators of Compromise (IOCs)\r\nSkimmer code\r\nSkimmer code beautified\r\ncdn[.]megalixe[.]org con[.]digital-speed[.]net apis[.]murdoog[.]org static[.]opendwin[.]com css[.]tev\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/\r\nPage 5 of 5\n\n https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/ \nIt also collects any password (many online stores allow customers to register an account), the browser’s user-agent\nand a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request:\n Page 3 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2021/11/credit-card-skimmer-evades-virtual-machines/" ], "report_names": [ "credit-card-skimmer-evades-virtual-machines" ], "threat_actors": [ { "id": "5a0483f5-09b3-4673-bb5a-56d41eaf91ed", "created_at": "2023-01-06T13:46:38.814104Z", "updated_at": "2026-04-10T02:00:03.110104Z", "deleted_at": null, "main_name": "MageCart", "aliases": [], "source_name": "MISPGALAXY:MageCart", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775439058, "ts_updated_at": 1775791451, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb2e2eeef9452e2b2fe7ea64590201d50d1dee41.pdf", "text": "https://archive.orkl.eu/fb2e2eeef9452e2b2fe7ea64590201d50d1dee41.txt", "img": "https://archive.orkl.eu/fb2e2eeef9452e2b2fe7ea64590201d50d1dee41.jpg" } }