News

Researchers identified a link between the Magecart Group 4 and Cobalt

A team of security researchers from Malwarebytes and HYAS discovered a link between the cybercriminals from Magecart Group 4 and Cobalt (also known as Carbanak, Fin7 and Anunak).

According to the analysis, Group 4 skimming not only on client’s side, but probably continues to do the same on the server.

Magecart is a term that unites more than a dozen of cybercriminal groups specializing in the implementation of scripts to steal bankcard data in payment forms on websites. They are responsible for attacks on such companies as Amerisleep, MyPillow, Ticketmaster, British Airways, OXO and Newegg.

“Group 4 is one of the most “advanced” groupings. Its participants use sophisticated methods to mask traffic, for example, by registering domain names associated with analytic companies or advertisers. The group has experience with banking malware, as well as the Cobalt group”, – experts of Malwarebytes tell.

Researchers tracked the various Magecart groups, looked for elements of their infrastructure, as well as connections between domains and IP addresses. Based on indicators of compromise, registered domains, used tactics, methods and procedures, the researchers concluded that Cobalt might have switched to web-skimming.

Read also: Echobot botnet launched large-scale attacks on iOT devices

The domains from which the skimers were downloaded registered to the mail address in the ProtonMail service, which RiskIQ researchers previously linked to Magecart. After analyzing the data, the experts associated this address with other registration letters and found a general nature, in particular, when creating mailboxes, the template [name], [initials], [last name] was used, which Cobalt recently used for ProtonMail accounts.

When analyzing the Group 4 infrastructure, researchers discovered a PHP script that was mistaken for JavaScript code. This type of source code can only be seen with the access to the server, the script interacts exclusively with the server side.

“It is invisible to any scanner, because everything happens on the hacked server itself. Magecart skimers were usually found on the browser side, but on the server side they are much more difficult to detect”, – said researcher Jerom Segura.

Further research showed that regardless of the email service used, in 10 separate accounts, only two different IP addresses were reused, even after several weeks and months between registrations.

One such mailbox is petersmelanie @protonmail, which was used to register 23 domains, including my1xbet[.]top. This domain was used in a phishing campaign to exploit the vulnerability CVE-2017-0199 in Microsoft Office. The same mail account was used to register the oracle-business[.]com domain and the Oracle attacks that were associated with the Cobalt group.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Pbmsoultions.com Pop-up Ads

About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…

1 day ago

Remove Prizestash.com Pop-up Ads

About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…

1 day ago

Remove Verifiedbreaking.com Pop-up Ads

About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…

1 day ago

Remove Themoneyminutes.com Pop-up Ads

About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…

1 day ago

Remove News-xcidizi.com Pop-up Ads

About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…

2 days ago

Remove Everytraffic-flow.com Pop-up Ads

About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…

2 days ago