Magecart card skimmer avoids detection by evading virtual machines
Browser script detects VMs used by researchers
It does this by detecting if the graphics card driver running on the operating system is a software renderer fallback from the hardware (GPU) renderer. In the script, the skimmer is checking for the presence of the words swiftshader, llvmpipe, and VirtualBox. Google Chrome uses SwiftShader while Firefox relies on llvmpipe as its renderer fallback.
“By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by the skimmer,” said Jérôme Segura, head of Threat Intelligence at Malwarebytes.
Researchers noticed if the machine passes the check, the personal data exfiltration process can take place normally. The skimmer scrapes several fields, including the customer’s name, address, email, phone number, and credit card data.
“It also collects any password (many online stores allow customers to register an account), the browser’s user-agent, and a unique user ID. The data is then encoded and exfiltrated to the same host via a single POST request,” said Segura.
While trying to detect if a machine is running a VM, which security researchers use to safely analyze malware, this malware looks for specific values indicating the presence of VMware or Virtual Box, two of the most popular pieces of virtualization software.
“For web threats, it is more rare to see detection of virtual machines via the browser. Typically threat actors are content with filtering targets based on geolocation and user-agent strings. But that feature does exist in modern browsers and can be quite effective,” said Segura.
Researchers added that it is not surprising to see criminals adopt such evasion techniques. “However, it shows that as we get better at detecting and reporting attacks, threat actors also evolve their code eventually. This is a natural trade-off that we must expect,” added Segura.
Modern governance: The how-to guide
Equipping organisations with the right tools for business resilienceFree Download
Cloud operational excellence
Everything you need to know about optimising your cloud operationsWatch now
A buyer’s guide to board management software
How the right software can improve your board’s performance
The real world business value of Oracle autonomous data warehouse
Lead with a 417% five-year ROIDownload now