New Magecart group uses an e-Skimmer that avoids VMs and sandboxes

Magecart group

A new Magecart group leverages a browser script to evade virtualized environments and sandboxes used by researchers.

Malwarebytes researchers have spotted a new Magecart group that uses a browser script to evade detection and the execution in virtualized environments used by security researchers for threat analysis. Hacker groups under the Magecart umbrella continue to target e-stores to steal payment card data with software skimmers.

While malware developers often implement anti-vm features and check for registry keys and other info indicating the presence of VMware or Virtual Box, rarely do experts observe the detection of virtualized environments via the browser for web threats.

The Malwarebytes researchers uncovered threat actors that add an extra browser process that uses the WebGL JavaScript API to gather information about the user’s machine and avoid the execution in a VM.


The process identifies the graphics renderer and returns its name. Experts pointed out that for many Virtual Machines the graphics card driver will be a software renderer fallback from the hardware (GPU) renderer. In other cases, the graphics card could be supported by the virtualization software that anyway can be identified by its name.

Magecart group

A new MazCart threat actor is stealing people’s payment card information from their browsers using a digital skimmer that uses a unique form of theft to bypass virtual machines (VMs), so it can only target real victims. Targets not security researchers.

Researchers revealed in a blog post published Wednesday that the Malwarebytes team discovered the new campaign, which adds an additional browser process that uses the WebGL JavaScript API to probe a user’s machine to ensure that It is not running on VM. | Magecart group

Malwarebytes Head of Threat Intelligence Jerome Segura wrote in the post, “By performing this in-browser check, the threat actor can exclude researchers and sandboxes and only allow real victims to be targeted by skimmers.”

Magecart is an umbrella term for various threat groups that compromise all e-commerce websites with card-skimming scripts on checkout pages to steal customer payments and personal data. Since their activity is so familiar to security researchers, they are constantly looking for new and creative ways to avoid being caught.

Segura said the detection of VMs used by security researchers and sandboxing solutions that are determined to pick up MagKart activity is “the most popular method” used to evade detection. However, for Web-based threats, “virtual machines are more rare to be detected through the browser,” he said. Threat actors typically filter targets based on geolocation and user-agent strings, Segura wrote.

However, it’s not surprising to see cybercriminals shift tactics, he said, demonstrating that as researchers step up their game to detect and report such nefarious activity, cybercriminals also adapt and are developed. “This is a natural trade-off we should expect,” Segura wrote.

“We see that Skimmer is checking for the presence of the words swiftshader, lvmpipe and virtualbox. Google Chrome uses swiftshader while Firefox relies on llvmpipe as its renderer fallback. Malwarebytes Head of Threat,” wrote Jerome Segura Intelligence. “By performing this in-browser check, the threat actor can exclude researchers and sandboxes and allow only real victims to be targeted by skimmers.”
The presence of the terms swiftshader, llvmpipe and virtualbox are associated with execution inside a VM. Upon executing the script in a real machine, the software skimmer will scrape a number of fields, including a customer’s name, address, email and phone number, as well as their credit card data.

The software also collects the password for the skimmer online store on which the victim has registered an account, the user-agent of the browser and a unique user ID. The data is encoded and sent via a POST request to the same server that hosts the skimmer.

The analysis, published by Malwarebytes, includes indicators of compromise (IoCs) with the source code of the software skimmer used in the attack.