Researchers identified a link between the Magecart Group 4 and Cobalt

A team of security researchers from Malwarebytes and HYAS discovered a link between the cybercriminals from Magecart Group 4 and Cobalt (also known as Carbanak, Fin7 and Anunak).

Magecart is a term that unites more than a dozen of cybercriminal groups specializing in the implementation of scripts to steal bankcard data in payment forms on websites. They are responsible for attacks on such companies as Amerisleep, MyPillow, Ticketmaster, British Airways, OXO and Newegg.

“Group 4 is one of the most “advanced” groupings. Its participants use sophisticated methods to mask traffic, for example, by registering domain names associated with analytic companies or advertisers. The group has experience with banking malware, as well as the Cobalt group”, – experts of Malwarebytes tell.

Researchers tracked the various Magecart groups, looked for elements of their infrastructure, as well as connections between domains and IP addresses. Based on indicators of compromise, registered domains, used tactics, methods and procedures, the researchers concluded that Cobalt might have switched to web-skimming.

Read also: Echobot botnet launched large-scale attacks on iOT devices

The domains from which the skimers were downloaded registered to the mail address in the ProtonMail service, which RiskIQ researchers previously linked to Magecart. After analyzing the data, the experts associated this address with other registration letters and found a general nature, in particular, when creating mailboxes, the template [name], [initials], [last name] was used, which Cobalt recently used for ProtonMail accounts.

When analyzing the Group 4 infrastructure, researchers discovered a PHP script that was mistaken for JavaScript code. This type of source code can only be seen with the access to the server, the script interacts exclusively with the server side.

“It is invisible to any scanner, because everything happens on the hacked server itself. Magecart skimers were usually found on the browser side, but on the server side they are much more difficult to detect”, – said researcher Jerom Segura.

Further research showed that regardless of the email service used, in 10 separate accounts, only two different IP addresses were reused, even after several weeks and months between registrations.

One such mailbox is petersmelanie @protonmail, which was used to register 23 domains, including my1xbet[.]top. This domain was used in a phishing campaign to exploit the vulnerability CVE-2017-0199 in Microsoft Office. The same mail account was used to register the oracle-business[.]com domain and the Oracle attacks that were associated with the Cobalt group.