Threat hunters from IBM X-Force Incident Response and Intelligence Services (IRIS) identified malicious activity attributed to a financially motivated cybercrime faction known as Magecart 5 (MG5).
Our research revealed that MG5 is likely testing malicious code designed for injection into benign JavaScript files loaded by commercial-grade layer 7 (L7) routers. These routers are typically used by airports, casinos, hotels and resorts, to name a few. X-Force IRIS believes MG5 is currently targeting users shopping on U.S. and Chinese websites.
Additionally, we found that MG5 has likely devised an attack scenario in which it could inject its malicious payment card stealing code into a popular open-source JavaScript library. This open-source code is provided as a free, licensed tool designed to help make websites compatible with mobile browsing. By infecting that code, MG5 can potentially infect and compromise the data of mobile device users that install booby-trapped apps and then shop online.
Please note that X-Force IRIS has not discovered any vendor compromise. What we are seeing are MG5 attack tactics, techniques and procedures (TTPs) targeting resources produced by said vendors. An actual attack would require further steps on MG5’s part.
Targeting Commercial-Grade, L7 Routers
What started as a threat hunting activity ended in analysis of malicious test code X-Force IRIS believes was written by a Magecart faction — more specifically, Magecart Group 5.
In our findings, of which complete technical details can be obtained here, we have come to suspect that MG5 prepared the code for injection into a specific type of router that’s used f ..
Support the originator by clicking the read the rest link below.
