Home » How to remove » Malicious process » Researchers identified a link between the Magecart Group 4 and Cobalt

Researchers identified a link between the Magecart Group 4 and Cobalt

A team of security researchers from Malwarebytes and HYAS discovered a link between the cybercriminals from Magecart Group 4 and Cobalt (also known as Carbanak, Fin7 and Anunak).

According to the analysis, Group 4 skimming not only on client’s side, but probably continues to do the same on the server.

Magecart is a term that unites more than a dozen of cybercriminal groups specializing in the implementation of scripts to steal bankcard data in payment forms on websites. They are responsible for attacks on such companies as Amerisleep, MyPillow, Ticketmaster, British Airways, OXO and Newegg.

“Group 4 is one of the most “advanced” groupings. Its participants use sophisticated methods to mask traffic, for example, by registering domain names associated with analytic companies or advertisers. The group has experience with banking malware, as well as the Cobalt group”, – experts of Malwarebytes tell.

Researchers tracked the various Magecart groups, looked for elements of their infrastructure, as well as connections between domains and IP addresses. Based on indicators of compromise, registered domains, used tactics, methods and procedures, the researchers concluded that Cobalt might have switched to web-skimming.

Read also: Echobot botnet launched large-scale attacks on iOT devices

The domains from which the skimers were downloaded registered to the mail address in the ProtonMail service, which RiskIQ researchers previously linked to Magecart. After analyzing the data, the experts associated this address with other registration letters and found a general nature, in particular, when creating mailboxes, the template [name], [initials], [last name] was used, which Cobalt recently used for ProtonMail accounts.

When analyzing the Group 4 infrastructure, researchers discovered a PHP script that was mistaken for JavaScript code. This type of source code can only be seen with the access to the server, the script interacts exclusively with the server side.

“It is invisible to any scanner, because everything happens on the hacked server itself. Magecart skimers were usually found on the browser side, but on the server side they are much more difficult to detect”, – said researcher Jerom Segura.

Further research showed that regardless of the email service used, in 10 separate accounts, only two different IP addresses were reused, even after several weeks and months between registrations.

READ  What is Uudf.exe - Virus, Trojan, Malware, Error, Infection?

One such mailbox is petersmelanie @protonmail, which was used to register 23 domains, including my1xbet[.]top. This domain was used in a phishing campaign to exploit the vulnerability CVE-2017-0199 in Microsoft Office. The same mail account was used to register the oracle-business[.]com domain and the Oracle attacks that were associated with the Cobalt group.

[Total: 0    Average: 0/5]

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

ZoneAlarm hacked with vBulletin vulnerability

ZoneAlarm forums hacked due to vBulletin vulnerability

The forums at ZoneAlarm, which is owned by Check Point and whose products are used …

RAT Trojan in WebEx Invitations

Criminals give links to RAT trojan in WebEx invitations

Information security specialist Alex Lanstein discovered an original vector for the distribution of the RAT …

Leave a Reply