New MageCart Campaign Dodges Researcher Sandboxes

A bad actor operating the MageCart card-stealing skimmer malware is conducting another ongoing campaign. The campaign is special, as it has an added component that allows the malware to safely dodge any researcher hotbeds and sandboxes systems and only deploy on the machines of real victims.

The MageCart malware has been updated with an additional component - a browser process. The new process checks whether the host system is not running a virtual machine - an almost certain sign that the underlying hardware is used as a testbed for catching and analyzing malware. The checks are done using JavaScript's WebGL API.

The reason why WebGL is used is that the hackers use the browser process checker to obtain information about the system's graphics unit. Virtual machines will either use a software renderer or simply give away the fact that the discrete GPU is being used in a virtualized environment - both options work to identify the host system as a very likely researcher sandbox.

If the VM checks all return negatives, the MageCart skimmer then proceeds to scrape all manners of browser fields related to financial or personally identifiable information, from owner's name to phone number and credit card strings of data.

The researchers examining the new campaign using MageCart noted that it is a relatively novel and unusual tactic to run VM checks through the browser.

MageCart itself is the name of a nebulous group of threat actors, brought together by their tactics and tools used. MageCart actors would usually use scripts that skip credit card data entered into online store checkout pages, then funnel this data to the operators of the malware.

This method is particularly dangerous to regular users, as there is no visible damage or malfunction with their system and they can keep shopping online or executing various payments with different cards, never realizing their information has been compromised and exfiltrated.