Researchers uncover Magecart Group 5 and Carbanak Group link

News by Mark Mayne

Merchant supply chain compromise group linked to high-level bank espionage gang via domain registration details

Researchers have identified tell-tale connections between the previously separate Magecart Group 5 and the Carbanak threat group. 

Magecart Group 5 specialises in supply-chain attacks, targeting e-commerce merchants via various libraries, analytics or security seals. Carbanak is a sophisticated threat group operating at a much higher level, mainly targeting banks with the twin aims of espionage and data exfiltration. The two groups have considerably different modus operandi

Magecart Group 5, for example, used a doctored trust seal that was loaded by a large number of merchants - along with a concealed skimmer script that sent data such as name, address, credit card number, expiry date, CVV back to the criminals every time someone made a purchase on one of the compromised stores.

Malwarebytes R&D researchers found that some domains registered for Magecart campaigns were linked with an email address that was also used to register domains used for the following Dridex phishing campaigns:

The Dridex loader either loads Dridex itself, a long-standing banking Trojan, or Carbanak, depending on whether it decides the target system is a consumer or low-value target, or a corporate machine. 

The researchers created the following diagram to illustrate the connections between the two groups: 

 

A final connection is that the phone number given (+86.1066569215) to register one of the Magecart domains has also been mentioned by Brian Krebs in a blog post examining connections between a Russian security firm and the Carbanak group.

Pieter Arntz, lead intelligence reporter at Malwarebytes told SC Media that the underlying patterns to threats are key evidence: "Attribution of malware is hard, but whenever we do find evidence linking certain malware to certain groups it establishes a pattern. These patterns help us better understand the threat landscape and allow us to better understand the minds of cyber-criminals. 

"Looking back means we can spot recurring themes. On a basic level, for example, we see a lot of compromises affecting a small subset of merchants that are likely tied to less sophisticated criminals. On the other hand, bigger breaches are orchestrated by advanced threat groups with previous experience in the field and with well-established ties within the criminal underground. It’s our job to find these ties. 

"With this understanding, we can extrapolate existing patterns which helps in quicker detection of new threats to the point of zero-day detection."

Indicators of Compromise were issued by Malwarebytes as follows: 

Magecart Group 5 domains

informaer[.]biz

informaer[.]cc

informaer[.]com

informaer[.]net

informaer[.]org

informaer[.]pw

informaer[.]ws

informaer[.]xyz

informaer[.]info

Registrant information

guotang323@yahoo.com

+86.1066569215

Domains used in Dridex phishing campaign

corporatefaxsolutions[.]com

onenewpost[.]com

xeronet[.]org

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews