Read on Twitter
Thanks to some data from @sansecio, we've found a new technique that is being used to hide the loading of a Websocket based digital skimmer/ #magecart script. In this new skimmer loader, it's masquerading as the Slider Revolution plugin.
1/6
1/6
Previously, we've seen a group (possibly the same one here, since the malicious script is loaded over websockets) use CSS classes to obscure what they're doing.
2/6 https://twitter.com/AffableKraut/status/1206794642949193728
2/6 https://twitter.com/AffableKraut/status/1206794642949193728
Most of the code present does very little and is just to mask its behavior. Here is the complete code:
3/6 https://gist.github.com/krautface/673e7a67ec63d62d6e12d44073215701
3/6 https://gist.github.com/krautface/673e7a67ec63d62d6e12d44073215701
As shown above, note the SC variable, which contains a bunch of attributes that are frequently used by the Slider Revolution plugin (for Wordpress and jQuery). On Line 14 there is an attempt to detect Selenium or other automation. Deobfuscated it's simply looking for this:
4/6
4/6
The deobfuscated and mostly cleaned up code is much smaller than the original, because not much is going on really. The comments here were added by me:
5/6 https://gist.github.com/krautface/b65cb1e717038f000d4d9dfd860830ea
5/6 https://gist.github.com/krautface/b65cb1e717038f000d4d9dfd860830ea
And that's about it. Just another example of an attempt to mask malicious behavior by pretending to be some benign. And, as with all things websockets, a CSP will block this.
6/6
6/6
