• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Advisory – CVE-2019-18834 – WooCommerce Subscriptions plugin for WordPress cross-site scripting
July 28, 2020
Rewterz Threat Alert – Ensiko Webshell With Ransomware Capabilities
July 28, 2020

Rewterz Threat Alert – Skimmers in Images & GitHub Repos

July 28, 2020

Severity

Medium

Analysis Summary

Researchers led to the discovery of malware files being hidden within .ICO and .PNG image files. The files, hosted on booby trapped Magneto repos on GitHub, contained the Magecart malware. The code was seen in a legitimate Google Tag Manager code PNG file. Using legitimate files to hide malware allows threat actors to maintain a less suspicious presence. Inside the Google Tag Manager code is JavaScript that extracts that final bytes of the image file in which it is implanted. Once deobfuscated, researchers found the Magecart skimmer code with modifications that will prevent prying eyes from seeing the exfiltration path immediately. A specific set of code is responsible for computing the URL of the gateway. The malware attempts to load PNG files from a GitHub repository, and at that repository, researchers found several folders and files which revealed more corrupted .png and .ico files. The exfiltration URL is found within the code contained in the image file and decrypted using the aforementioned JavaScript code.

Impact

  • Data breach
  • Exposure of sensitive data 
  • Information theft
  • Account compromise

Indicators of Compromise

URL

  • hxxps[:]//googletag-manager[.]com/gtag/GTM-P75S9/

Remediation

  • Block all threat indicators at your respective controls.
  • Search for IOCs in your environment.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.