Meet the JS-Sniffers 4:
CoffeMokko Family

Victor Okorokov
Threat Intelligence Analyst at Group-IB
Our recent comprehensive report features an in-depth analysis of JS-sniffers' darknet market, their entire infrastructure and the monetization methods. Group-IB researchers have discovered 38 families of JS-sniffers, whereas only 12 were known previously.

Last three blog posts were dedicated to the ReactGet, G-Analytics and Illum families of JS-sniffers, and this time we analyzed the CoffeMokko family. Group-IB researchers discovered that this family of JS-sniffers has been used since May 2017. Group 1, described by RiskIQ researchers in 2016 is likely to be behind the CoffeMokko family.
Meet CoffeMokko
A malicious campaign involving CoffeMokko JS-sniffers started in May 2017. These JS-sniffers were used in attacks on customers of online shops running on CMS such as Magento, OpenCart, WordPress, osCommerce, and Shopify.

The cybercriminal group that manages this JS-sniffer creates a unique JS-sniffer for each infection: the JS-sniffer file is stored in either a src or js directory on the attackers' server. The JS-sniffer code is injected into the website's HTML code via a direct link to the JS-sniffer.
There are names of the fields of the payment form, which was hardcoded in each JS-sniffer sample. These fields are used to steal payment information from the forms on infected websites. The JS-sniffer checks if the user is on the payment page by searching for keywords in the URL address.
Some detected versions of the JS-sniffer were obfuscated. Each obfuscated script includes an encrypted string that stores a list of resources for the JS-sniffer, i.e. the names of fields of the payment form on the targeted website and the gate URL responsible for collecting stolen data.
Stolen payment information is sent to the script located on the attackers' server through the path /savePayment/index.php or /tr/index.php. Presumably, these scripts were designed to send stolen information to the attackers' main server, which consolidates data from all JS-sniffers. To hide malicious activity in the victim's traffic, all stolen information is encoded with Base64, after which certain characters are replaced:

  • Character "e" is replaced by ":"
  • Character "w" is replaced by "+"
  • Character "o" is replaced by "%"
  • Character "d" is replaced by "#"
  • Character "a" is replaced by "-"
  • Character "7" is replaced by "^"
  • Character "h" is replaced by "_"
  • Character "T" is replaced by "@"
  • Character "0" is replaced by "/"
  • Character "Y" is replaced by "*"
As a result, this Base64-encoded data cannot be decoded without inverting the character replacement.

The picture below shows an unobfuscated example of the JS-sniffer:
Analysis of infrastructure
During the cybercrime group's earliest campaigns, the attackers created new domains, which imitated the domain names of legitimate websites. The attackers' domain name could be different from the legitimate one only by the TLD or a single character. The illegitimate domain names were used to store the JS-sniffer source code. A link to the JS-sniffer was injected into the compromised website's source code.

Moreover, this group used domain names that imitated names of popular jQuery plugins (e.g. slickjs[.]org for websites that use the slick.js plugin) and payment gateways (e.g. sagecdn[.]org for websites that use Sage Pay payment processing).

The attackers later began to create domains whose names had nothing to do with the domain of the store or its are of activity.
Each domain name was used to create a website with the directory /js or /src. This directory was used to store samples of the JS-sniffer—one JS-sniffer for each infected website. JS-sniffers were injected into the HTML code of the compromised website by a direct link to the JavaScript file, but in some cases the attackers modified an existing file on the webserver and injected the JS-sniffer into it.
Analysis of the source code
First obfuscation algorithm

Some of the discovered samples of CoffeMokko were obfuscated and contained encrypted JS-sniffer's resources strings, for instance, the gate URL, the list of payment form fields and in some cases the script of fake payment forms. The resource string was encrypted using XOR by key, which is the input of the next function responsible for decrypting.

By decrypting the resource string with the key, which is unique for each JS-sniffer, we can obtain the array with resources: all strings used in this JS-sniffer joined by a separator.
Second obfuscation algorithm

In the later versions of the CoffeMokko JS-sniffers a different obfuscation method was used: the data was encrypted using custom algorithm. An encrypted string which is the input of the next function responsible for decrypting. An encrypted string with all resource strings was used as parameter for decrypting function in the source code of the JS-sniffer.

By using browser console, encrypted strings can be decoded.
Connection with early Magecart attacks
The analysis of one of the domains, used as a gate for collecting stolen data by the group, revealed that some files on the attacker's server are almost identical to the infrastructure used by Group 1 – one of the very first groups discovered by RiskIQ researchers (https://www.riskiq.com/blog/labs/magecart-keylogger-injection/).

Two files were discovered on the host used by the CoffeMokko family:

  • mage.js – the file, containing the Group 1 JS-sniffer code with js-cdn.link as a gate URL
  • mag.php – PHP script designed to collect the stolen data

The content of mage.js file is presented below:

It was also established that the earliest domains used by the group behind the CoffeMokko family were registers on May 17, 2017:

  • link-js[.]link
  • info-js[.]link
  • track-js[.]link
  • map-js[.]link
  • smart-js[.]link
The format of the domain names is the same that was used by Group 1, deployed in their 2016 attacks.

Based on all these facts, we can assume that there is some connection between the operators of CoffeMokko family and Group 1. The operators of CoffeMokko could have adopted the tools and software for card stealing from their predecessor. However, it is more likely the people behind the CoffeMokko JS-sniffers family could be the same people who carried out the attacks attributed to Group 1. After the publication of the first report on the group's activities, all their domains were blocked and tools were examined and described by the researchers. Therefore, the group presumably took a break in order to improve the code of the JS-sniffer and their methods and tools to be able to keep attacking online stores and remain unnoticed.
Crime without punishment: in-depth analysis of JS-sniffers
JS-sniffers pose a growing threat by attacking online stores and stealing payment data and credentials of their users. When a website is infected with JS-sniffer, everyone is a victim – online shoppers, ecommerce websites, payment processing systems, and banks that issued compromised cards. Group-IB experts have researched this type of malware and have discovered 38 families of JS-sniffers, whereas only 12 were known previously.