Here is the loader in its normal form: https://gist.github.com/krautface/d14b8b718413a57a69e7811fe4515872 … And here it is prettified: https://gist.github.com/krautface/956640b5c7ee4bd0e71ceea2270bd1de … What's unique about this one is two fold...
-
-
Prikaži ovu nit
-
Javascript code utilized: It modifies the Array and String.prototype in an attempt to hide what it's doing and it uses async/await (added in ES8) and const (added in ES6). The creator is likely someone with more JS experience than most other skimmer devs.
Prikaži ovu nit -
The loader attempts to use a fetch call to get the skimmer code, but it fails currently. fetch also isn't supported by IE11. Even fixing the code so that it properly requests its payload doesn't retrieve anything of note, just a single line of benign JS.
Prikaži ovu nit -
While some digital skimmer infrastructure does attempt to limit delivering its payload to limited targets (restricting by location, referrer, traffic from AWS, etc), this doesn't appear to be the issue here, although if you get it to return something please DM me
Prikaži ovu nit -
Quick run through of the code. You can see a number of new functions being added to the String prototype and one to the Array prototype.pic.twitter.com/9m9lGx0XZw
Prikaži ovu nit -
For this skimmer loader, every instance we've seen has had different function names. String.prototype .no: intended to execute the malicious skimmer payload received from the endpoint.pic.twitter.com/s6TaDXbKE9
Prikaži ovu nit -
Array.prototype .cg: checks to see if the user is on the checkout page. In this case it is looking for the string "checko" in the current URL.pic.twitter.com/Wk6Xyy7nuN
Prikaži ovu nit -
Anonymous function: some basic anti-RE stuff. Checks for dev tools, Firebug, etc. Disable it by removing lines 24-42 (and delete that trailing comma on line 23).pic.twitter.com/5AmlMmm3t7
Prikaži ovu nit -
String.prototype .xn: Deobfuscator. Used by Array.prototype .cg and String.prototype .bq. That long string looks random, but look closer, it's the characters a-z, A-Z, 0-9, and _.:,. Also, notice that hi is set to 1 and then never changes.pic.twitter.com/KB0SG4Cfdw
Prikaži ovu nit -
String.prototype .bq: attempts to fetch the payload and then sends it to String.prototype .no to be added to the page and executed.pic.twitter.com/99nKCjsbBR
Prikaži ovu nit -
The final setTimeout func sits there and checks if devtools are open and, if they're not, if it's on the right page. If it is, kick things off. Bypass these checks by getting rid of the if statements, or set: window.kb .open = false ez .cg=() => true (remove the spaces)pic.twitter.com/p47QirHs0X
Prikaži ovu nit -
In this sample, the URL it's attempting to grab code from is hxxps://doubleclick[.]ws/click, yet another skimmer domain playing off a Google property, but it fails because of... reasons. I'm sure they'll figure it out sometime soon.
Prikaži ovu nit -
Anyways, that's it. If anyone is able to get the backend to cough up its payload I would be very interested in seeing it :) I'm assuming, based on this code, that it would be something unique.
Prikaži ovu nit -
Follow up here, as
@jknsCo was able to get a copy
:https://twitter.com/AffableKraut/status/1221102738701942784 …Prikaži ovu nit
Kraj razgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.