A team of security researchers from Malwarebytes and HYAS discovered a link between the cybercriminals from Magecart Group 4 and Cobalt (also known as Carbanak, Fin7 and Anunak).According to the analysis, Group 4 skimming not only on client’s side, but probably continues to do the same on the server.
Magecart is a term that unites more than a dozen of cybercriminal groups specializing in the implementation of scripts to steal bankcard data in payment forms on websites. They are responsible for attacks on such companies as Amerisleep, MyPillow, Ticketmaster, British Airways, OXO and Newegg.
“Group 4 is one of the most “advanced” groupings. Its participants use sophisticated methods to mask traffic, for example, by registering domain names associated with analytic companies or advertisers. The group has experience with banking malware, as well as the Cobalt group”, – experts of Malwarebytes tell.
Researchers tracked the various Magecart groups, looked for elements of their infrastructure, as well as connections between domains and IP addresses. Based on indicators of compromise, registered domains, used tactics, methods and procedures, the researchers concluded that Cobalt might have switched to web-skimming.
The domains from which the skimers were downloaded registered to the mail address in the ProtonMail service, which RiskIQ researchers previously linked to Magecart. After analyzing the data, the experts associated this address with other registration letters and found a general nature, in particular, when creating mailboxes, the template [name], [initials], [last name] was used, which Cobalt recently used for ProtonMail accounts.
“It is invisible to any scanner, because everything happens on the hacked server itself. Magecart skimers were usually found on the browser side, but on the server side they are much more difficult to detect”, – said researcher Jerom Segura.
Further research showed that regardless of the email service used, in 10 separate accounts, only two different IP addresses were reused, even after several weeks and months between registrations.
One such mailbox is petersmelanie @protonmail, which was used to register 23 domains, including my1xbet[.]top. This domain was used in a phishing campaign to exploit the vulnerability CVE-2017-0199 in Microsoft Office. The same mail account was used to register the oracle-business[.]com domain and the Oracle attacks that were associated with the Cobalt group.