Magecart card skimmer avoids detection by evading virtual machines
Browser script detects VMs used by researchers
It does this by detecting if the graphics card driver running on the operating system is a software renderer fallback from the hardware (GPU) renderer. In the script, the skimmer is checking for the presence of the words swiftshader, llvmpipe, and VirtualBox. Google Chrome uses SwiftShader while Firefox relies on llvmpipe as its renderer fallback.
“By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” said Jérôme Segura, head of Threat Intelligence at Malwarebytes.
Researchers noticed if the machine passes the check, the personal data exfiltration process can take place normally. The skimmer scrapes several fields, including the customer’s name, address, email, phone number, and credit card data.
“It also collects any password (many online stores allow customers to register an account), the browser’s user-agent, and a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request,” said Segura.
While trying to detect if a machine is running a VM, which security researchers use to safely analyze malware, this malware looks for specific values indicating the presence of VMware or Virtual Box, two of the most popular pieces of virtualization software.
“For web threats, it is more rare to see detection of virtual machines via the browser. Typically threat actors are content with filtering targets based on geolocation and user-agent strings. But that feature does exist in modern browsers and can be quite effective,” said Segura.
Researchers added that it is not surprising to see criminals adopt such evasion techniques. “However, it shows that as we get better at detecting and reporting attacks, threat actors also evolve their code eventually. This is a natural trade-off that we must expect,” added Segura.
2021 Thales cloud security study
The challenges of cloud data protection and access management in a hybrid and multi cloud worldFree download
IDC agility assessment
The competitive advantage in adaptabilityFree Download
Digital transformation insights from CIOs for CIOs
Transformation pilotes, co-pilots, and engineersFree download
What ITDMs did next - and what they should be doing now
Enable continued collaboration and communication for hybrid workers