19 November 2020

New variant of card-skimming Grelos malware illustrates overlaps in Magecart infrastructure and groups


New variant of card-skimming Grelos malware illustrates overlaps in Magecart infrastructure and groups

A new version of Grelos, a malware associated with Magecart card skimming campaigns, has demonstrated how intricacies and overlaps in infrastructure could create a "murkiness," which makes it harder for security researchers to track separate Magecart groups.

The Grelos skimmer appeared on the threat landscape in 2015 and was previously linked to Magecart Group 1-2, however, this skimmer was also observed in attacks by other threat actors. The latest Grelos version detailed by RiskIQ contains "a rehash" of the original code first seen in 2015-16, consisting of a loader and a skimmer, "both of which are base64 encoded five times over."

The new skimmer variant was uncovered while investigating domains associated with a recent attack against boom! Mobile’s website, in which the Full(z) House group injected a skimmer in website to steal customer data. The domains used in this campaign led the team to a cookie and associated skimmer websites, including facebookapimanager[.]com and googleapimanager[.]com. However, a closer inspection revealed samples of a recent variant of the Grelos skimmer, not the Full(z) House malware.

"In several recent Magecart compromises, we have seen increasing overlaps in infrastructure used to host various skimmers that are unrelated in terms of the techniques and code structures they employ," said RiskIQ. "We also observe new variants of skimmers reusing code seen over the last several years."

Different skimmer variants linked to Grelos have been "using the same infrastructure or other connections through WHOIS records and other malicious activities, such as phishing and malware during this investigation," the researchers said.

Back to the list

Latest Posts

Belden reveals data breach affecting current and former employees, business partners

Belden reveals data breach affecting current and former employees, business partners

The stolen information may have included names, birthdates, government-issued identification numbers, and bank account information.
26 November 2020
Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

Hacker leaks usernames and passwords for nearly 50K vulnerable Fortinet VPN devices

The data dump contains usernames, passwords, access levels, and the original unmasked IP addresses of users connected to the VPNs.
26 November 2020
FBI warns of spoofed FBI-related websites

FBI warns of spoofed FBI-related websites

Spoofed domains and email accounts could be used by foreign actors and cybercriminals to spread false information, deliver malware, or collect sensitive data.
25 November 2020