News

Experts found a connection between Carbanak and one of the MageCart groups

Researchers at Malwarebytes reported that they found a connection between the MageCart 5 group and the famous criminal group Carbanak and the banking Trojan Dridex.

RiskIQ experts, who have been observing MageCart groups for a long time, wrote that MageCart 5 is one of the most professional and serious groups in this area. Recalling, in 2018, RiskIQ researchers identified 12 such groups, whereas now, according to IBM, there is already 38 of them.

“This grouping hacks only third-party service providers, but does not directly attack online stores. This particular group has already shown creativity and used the CDN (content delivery network) and advertising to inject its malicious code into sites”, – say RiskIQ experts.

And in September of this year, IBM experts discovered that MageCart 5 developed special scripts for placement on Layer 7 routers and the subsequent theft of bank cards. This allows concluding that attackers went from sites to attacks on routers.

Now, Malwarebytes experts have reported that they managed to connect the MageCart 5 group with the well-known criminal group Carbanak and the banking Trojan Dridex. To do this, the researchers studied eight top-level domains that use the Informaer name and are associated with MageCart 5 according to RiskIQ.

Read also: Researchers identified a link between the Magecart Group 4 and Cobalt

Using WHOIS records that preceded the advent of the General Data Protection Regulation (GDPR), the researchers went to a “bulletproof” registrar in China called BIZCN/CNOBIN.

Similarly to “bulletproof” hosting, such companies ignore all complaints about the illegal activity of customers, and user identities are kept secret. However, specialists managed to identify the ninth Informaer domain (informaer[.]Info), which turned out to be not so well protected and led the experts to the email address (guotang323@yahoo.com) and phone number (+86.1066569215).

“This domain was registered at the same time as the other Informaer domains (literally talking about seconds), and was almost certainly used in MageCart 5”, – report Malwarebytes experts.

The mentioned email address turned out to be associated with other domains registered by the same person. Among them were several domains related to Dridex phishing campaigns, to which the Swiss CERT spoke in detail in 2017: corporatefaxsolutions[.]Com, onenewpost[.]Com and xeronet[.]Org.

Interestingly, experts have already met the phone number. Last year, the famous IS journalist Brian Krebs already mentioned this issue in his article on the investigation of Carbanak and theories about the origin of the group.

At the same time, Malwarebytes experts admit that all registration information informaer[.]Info could be specially falsified in order to confuse researchers. However, all this happened in 2016, when the attribution of MageCart has not yet been investigated. Analysts believe it is unlikely that Magecart 5 participants were already trying to confuse the tracks, given that no one had hunted them yet.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Pbmsoultions.com Pop-up Ads

About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…

2 days ago

Remove Prizestash.com Pop-up Ads

About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…

2 days ago

Remove Verifiedbreaking.com Pop-up Ads

About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…

2 days ago

Remove Themoneyminutes.com Pop-up Ads

About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…

2 days ago

Remove News-xcidizi.com Pop-up Ads

About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…

2 days ago

Remove Everytraffic-flow.com Pop-up Ads

About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…

2 days ago