Researchers at Malwarebytes reported that they found a connection between the MageCart 5 group and the famous criminal group Carbanak and the banking Trojan Dridex.
RiskIQ experts, who have been observing MageCart groups for a long time, wrote that MageCart 5 is one of the most professional and serious groups in this area. Recalling, in 2018, RiskIQ researchers identified 12 such groups, whereas now, according to IBM, there is already 38 of them.“This grouping hacks only third-party service providers, but does not directly attack online stores. This particular group has already shown creativity and used the CDN (content delivery network) and advertising to inject its malicious code into sites”, – say RiskIQ experts.
And in September of this year, IBM experts discovered that MageCart 5 developed special scripts for placement on Layer 7 routers and the subsequent theft of bank cards. This allows concluding that attackers went from sites to attacks on routers.
Now, Malwarebytes experts have reported that they managed to connect the MageCart 5 group with the well-known criminal group Carbanak and the banking Trojan Dridex. To do this, the researchers studied eight top-level domains that use the Informaer name and are associated with MageCart 5 according to RiskIQ.
Read also: Researchers identified a link between the Magecart Group 4 and Cobalt
Using WHOIS records that preceded the advent of the General Data Protection Regulation (GDPR), the researchers went to a “bulletproof” registrar in China called BIZCN/CNOBIN.
Similarly to “bulletproof” hosting, such companies ignore all complaints about the illegal activity of customers, and user identities are kept secret. However, specialists managed to identify the ninth Informaer domain (informaer[.]Info), which turned out to be not so well protected and led the experts to the email address (guotang323@yahoo.com) and phone number (+86.1066569215).
“This domain was registered at the same time as the other Informaer domains (literally talking about seconds), and was almost certainly used in MageCart 5”, – report Malwarebytes experts.
The mentioned email address turned out to be associated with other domains registered by the same person. Among them were several domains related to Dridex phishing campaigns, to which the Swiss CERT spoke in detail in 2017: corporatefaxsolutions[.]Com, onenewpost[.]Com and xeronet[.]Org.
Interestingly, experts have already met the phone number. Last year, the famous IS journalist Brian Krebs already mentioned this issue in his article on the investigation of Carbanak and theories about the origin of the group.
At the same time, Malwarebytes experts admit that all registration information informaer[.]Info could be specially falsified in order to confuse researchers. However, all this happened in 2016, when the attribution of MageCart has not yet been investigated. Analysts believe it is unlikely that Magecart 5 participants were already trying to confuse the tracks, given that no one had hunted them yet.