Experts found a link between a Magecart group and Cobalt Group

Pierluigi Paganini October 08, 2019

Researchers from MalwareBytes and HYAS Threat Intelligence linked one of the hacking groups under the Magecart umbrella to the notorious Cobalt cybercrime Group.

Hacker groups under the Magecart umbrella continue to target organizations worldwide to steal payment card data with so-called software skimmers. Security firms have monitored the activities of a dozen groups at least since 2010

According to a joint report published by RiskIQ and FlashPoint, some groups are more advanced than others, in particular, the gang tracked as Group 4 appears to be very sophisticated.

The list of victims of the groups is long and includes several major platforms such as British AirwaysNeweggTicketmasterMyPillow and Amerisleep, and Feedify

Millions of Magecart instances were detected over time, security experts discovered tens of software skimming scripts.

Researchers at RiskIQ estimate that the group has impacted millions of users. RiskIQ reports a total of 2,086,529 instances of Magecart detections, most of them are supply-chain attacks.

The same team of experts has determined that the Magecart infrastructure is vast, with 573 known C2 domains, and 9,189 hosts observed loading C2 domains. 

A new joint report published by researchers at Malwarebytes and HYAS Threat Intelligence reveals that some groups under the Magecart umbrella are linked to Magecart attackers.

The experts found a link between the Magecart Group 4 and the Cobalt cybercrime Gang, such as patterns in the email addresses used to register domains used in Magecart operations.

“One group that caught our interest is Group 4, which is one of the more advanced cybercriminal organizations. While working jointly with security firm HYAS, we found some interesting patterns in the email addresses used to register domains belonging to Magecart matching those of a sophisticated threat group known as Cobalt Group, aka Cobalt Gang or Cobalt Spider.” reads the blog post published by MalwareBytes.

Cobalt crime gang is a Russian hacking crew that has been active since at least 2016, it targeted banks worldwide, the group leveraged spear-phishing emails to compromise target systems, spoofed emails from financial institutions or a financial supplier/partner.

Experts pointed out that Group 4, unlike other Magecart groups, leverages on both client-side and server-side skimmers.

One of client-side skimmers analyzed by the researchers was masqueraded as the jquery.mask.js plugin, the attackers appended the malicious code at the end of the script and protected it with some layers of obfuscation. 

Experts also analyzed a server-side skimmer, it is a PHP script that was mistakenly served as JavaScript instead.

“This little code snippet looks for certain keywords associated with a financial transaction and then sends the request and cookie data to the exfiltration server at secureqbrowser[.]com. An almost exact copy of this script was described by Denis Sinegubko of Sucuri in his post Autoloaded Server-Side Swiper.” continues the report.

Experts noticed that in both attacks, the domains were registered to robertbalbarran(at)protonmail.com.

The analysis of the exfiltration gates allowed the researchers to link them to other registrant emails and identify a pattern for the format of email addresses ([first name][initial][last name]).

Experts noticed that the Cobalt Group also has switched to this technique.

“A small shift from one of their previous conventions of [firstname],[lastname], [fournumbers] (overwhelmingly using protonmail accounts, with a handful of tutanota/keemail.me email accounts) changed to the above-noted convention of [firstname], [initial], [lastname] again using the same email services and registrars, and notably the same use of privacy protection services.” continues the experts.

Further investigation allowed the experts to discover that 10 of the seemingly separate accounts reused only two different IP addresses, even over weeks and months between registrations.

One email address, petersmelanie(at)protonmail.com, was used to register 23 domains, including one involved in a phishing campaign leveraging the CVE-2017-0199 flaw and other attacks against Oracle and various banks.

“Based on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others, it’s logical to conclude that Cobalt Group would also enter this field and continue to diversify their criminal efforts against global financial institutions,” concludes the report. “The use of both client-side and server-side skimmers and the challenges this poses in identifying Magecart compromises by advanced threat groups necessitates the ongoing work of industry partners to help defend against this significant and growing threat.”

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Magecart, Cobalt group)

[adrotate banner=”5″]

[adrotate banner=”13″]



you might also like

leave a comment