Researchers have identified tell-tale connections between the previously separate Magecart Group 5 and the Carbanak threat group.
Magecart Group 5 specialises in supply-chain attacks, targeting e-commerce merchants via various libraries, analytics or security seals. Carbanak is a sophisticated threat group operating at a much higher level, mainly targeting banks with the twin aims of espionage and data exfiltration. The two groups have considerably different modus operandi.
Magecart Group 5, for example, used a doctored trust seal that was loaded by a large number of merchants - along with a concealed skimmer script that sent data such as name, address, credit card number, expiry date, CVV back to the criminals every time someone made a purchase on one of the compromised stores.
Malwarebytes R&D researchers found that some domains registered for Magecart campaigns were linked with an email address that was also used to register domains used for the following Dridex phishing campaigns:
corporatefaxsolutions.com (Corporate efax campaign targeting Germans)
onenewpost.com (OnePosting phish pushing Dridex)
xeronet.org (Xero phish pushing Dridex)
The Dridex loader either loads Dridex itself, a long-standing banking Trojan, or Carbanak, depending on whether it decides the target system is a consumer or low-value target, or a corporate machine.
The researchers created the following diagram to illustrate the connections between the two groups:
A final connection is that the phone number given (+86.1066569215) to register one of the Magecart domains has also been mentioned by Brian Krebs in a blog post examining connections between a Russian security firm and the Carbanak group.
Pieter Arntz, lead intelligence reporter at Malwarebytes told SC Media that the underlying patterns to threats are key evidence: "Attribution of malware is hard, but whenever we do find evidence linking certain malware to certain groups it establishes a pattern. These patterns help us better understand the threat landscape and allow us to better understand the minds of cyber-criminals.
"Looking back means we can spot recurring themes. On a basic level, for example, we see a lot of compromises affecting a small subset of merchants that are likely tied to less sophisticated criminals. On the other hand, bigger breaches are orchestrated by advanced threat groups with previous experience in the field and with well-established ties within the criminal underground. It’s our job to find these ties.
"With this understanding, we can extrapolate existing patterns which helps in quicker detection of new threats to the point of zero-day detection."
Indicators of Compromise were issued by Malwarebytes as follows:
Magecart Group 5 domains
Domains used in Dridex phishing campaign