Active Magecart Campaign Targets Spain, Steals Card Data via Hijacked eStores for Bank Fraud
A sophisticated, long-running Magecart campaign has been compromising e-commerce websites to steal payment card data, with a notable focus on the Spanish payment ecosystem. The attackers utilize multi-stage JavaScript payloads, mimic legitimate payment gateways like Redsys, and exfiltrate stolen data in real-time via WebSockets to evade traditional detection mechanisms.
Authors: ANY.RUN
Source:
ANY.RUN
- domainassetsbundle[.]comMalicious domain used for dynamic payload delivery and staging.
- domainbundlefeedback[.]comFallback domain used by the initial JavaScript loader to retrieve configuration data.
- domainjquerybootstrap[.]comMalicious domain used for dynamic payload delivery, masquerading as a legitimate JavaScript library.
- domainnewassetspro[.]comMalicious domain used for dynamic payload delivery and staging.
- domainredsysgate[.]comC2 server disguised as a legitimate Redsys domain, used for WebSocket exfiltration and command handling.
Key Takeaways
- The campaign has maintained long-term persistence (24+ months) using a highly resilient, multi-stage infrastructure.
- Attackers mimic legitimate payment systems, notably the Spanish provider Redsys, to increase credibility and success rates.
- Stolen payment card data is exfiltrated via WebSockets, reducing visibility in traditional HTTP-based security monitoring tools.
- Dynamic payload delivery allows attackers to rotate domains and evade disruption without needing to reinfect the target website.
- The malicious script also includes a localized social engineering flow to push malicious Android APKs to mobile users.
Affected Systems
- WooCommerce websites
- E-commerce platforms
- Android devices (via secondary APK payload)
Attack Chain
The attack begins when threat actors compromise an e-commerce website and inject a small, obfuscated JavaScript loader. This loader connects to a fallback list of external domains to retrieve a JSON configuration and dynamically load the primary malicious payload. The payload monitors the victim's browser for the checkout page, at which point it overlays or replaces the legitimate payment interface (often mimicking providers like Redsys or PayPlug). When the user enters their payment card details, the data is captured, validated, and exfiltrated in real-time to a C2 server via a WebSocket connection. Concurrently, the script may identify Android users and present a localized social engineering prompt to download a malicious APK.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: ANY.RUN TI Lookup
The article provides a custom search query for the ANY.RUN Threat Intelligence Lookup platform to identify related malicious URL patterns.
Detection Engineering Assessment
EDR Visibility: Low — The malicious activity occurs entirely within the client's web browser via DOM manipulation and JavaScript execution, which is typically invisible to server-side EDR agents. Network Visibility: Medium — While the traffic is encrypted (HTTPS/WSS), the presence of WebSocket connections to newly registered or suspicious domains originating from checkout pages can be detected via network monitoring. Detection Difficulty: Hard — The use of dynamic payload delivery, fallback domain rotation, heavy JavaScript obfuscation (including custom VMs), and WebSocket exfiltration makes signature-based detection highly challenging.
Required Log Sources
- Web Proxy Logs
- DNS Logs
- Network Flow Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unexpected WebSocket (wss://) connections originating from e-commerce checkout or payment confirmation pages. | Web Proxy Logs, Network Flow Logs | Exfiltration | Medium |
| Monitor for JavaScript files loaded dynamically from newly registered domains or domains mimicking legitimate libraries (e.g., jquerybootstrap.com) during the checkout process. | DNS Logs, Web Proxy Logs | Execution | Low |
| Search for web traffic matching the URL pattern where a base64 encoded string is requested as a .js file with a numeric query parameter. | Web Proxy Logs | Delivery | Low |
Control Gaps
- Client-side web monitoring
- Traditional HTTP-only Data Loss Prevention (DLP)
Key Behavioral Indicators
- WebSocket connections initiated immediately after payment form interaction
- DOM injection of iframes or high z-index overlays during payment steps
- Use of postMessage for cross-origin communication with unknown domains
False Positive Assessment
- Low. The provided indicators of compromise are highly specific to this attacker infrastructure. While some domains mimic legitimate services (e.g., hotjarcdn.com), they are attacker-controlled typosquats or lookalikes.
Recommendations
Immediate Mitigation
- Block the identified malicious domains and C2 infrastructure at the firewall and web proxy level.
- Audit e-commerce platforms (especially WooCommerce) for unauthorized JavaScript injections, modified core files, or suspicious plugins.
Infrastructure Hardening
- Implement a strict Content Security Policy (CSP) to restrict the domains from which scripts can be loaded and to which data can be sent (e.g., restricting connect-src).
- Enforce Subresource Integrity (SRI) for all external JavaScript libraries to prevent execution if the source file is tampered with.
User Protection
- Deploy client-side web protection solutions capable of detecting DOM tampering and unauthorized input capture in real-time.
- Educate users to verify payment gateway URLs and avoid downloading unexpected applications (APKs) prompted during checkout.
Security Awareness
- Train web administrators and developers on the risks of Magecart attacks and the importance of monitoring third-party script integrity.
MITRE ATT&CK Mapping
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1056.003 - Input Capture: Web Portal Capture
- T1071.001 - Application Layer Protocol: Web Protocols
- T1140 - Deobfuscate/Decode Files or Information
- T1036 - Masquerading
Additional IOCs
- Domains:
bundle-feedback[.]com- Fallback domain for configuration retrieval.doubleclickcache[.]com- Malicious infrastructure domain.analyticsgctm[.]com- Malicious infrastructure domain.hotjarcdn[.]com- Malicious infrastructure domain.firefoxcaptcha[.]com- Malicious infrastructure domain.solutionjquery[.]com- Malicious infrastructure domain.bundle-referrer[.]com- Malicious infrastructure domain.categorywishlist[.]com- Malicious infrastructure domain.cachesecure[.]com- Malicious infrastructure domain.securedata-ns[.]com- Malicious infrastructure domain.analysiscache[.]com- Malicious infrastructure domain.explorerpros[.]com- Malicious infrastructure domain.safeprocessor[.]com- Malicious infrastructure domain (Cluster 1).hotjarsolutions[.]com- Malicious infrastructure domain (Cluster 1).multiasolutions[.]com- Malicious infrastructure domain (Cluster 1).hotjarclick[.]com- Malicious infrastructure domain (Cluster 1).safepayzone[.]com- Malicious infrastructure domain (Cluster 1).referralinkup[.]com- Malicious infrastructure domain (Cluster 1).mozilla-master[.]com- Malicious infrastructure domain (Cluster 1).specterguardian[.]com- Malicious infrastructure domain (Cluster 1).gtmimestmap[.]com- Malicious infrastructure domain (Cluster 2).widgetassets[.]com- Malicious infrastructure domain (Cluster 3).paysafeprocess[.]com- Malicious infrastructure domain (Cluster 4).cachecaptcha[.]com- Malicious infrastructure domain (Cluster 4).checkoutcache[.]com- Malicious infrastructure domain (Cluster 4).
- Urls:
hxxps://<c2_domain>/<base64_text>.js?_=<digits>- Pattern for dynamic malicious JavaScript payload retrieval.wss://<c2_domain>/?token=<base64_data>- Pattern for WebSocket C2 communication and data exfiltration.