This blog post was authored by Jérôme Segura, William Tsing, and Adam Thomas.
In a previous post, we described the possible overlap between certain domains registered by Magecart Group 4 and the Cobalt gang. While attribution is always a difficult endeavor, sharing TTPs can help others to connect the dots between campaigns observed in the wild and threat groups.
This time, we looked at Magecart Group 5 by examining a number of domains and their ties with other malicious activity. The data predates changes on whois (before GDPR took effect) and allows us to identify registrant data that is connected to Dridex phishing campaigns and the Carbanak group.
Magecart Group 5 tactics
With some exceptions, such as the Ticketmaster breach, Group 5 has a different modus operandi; it targets the supply chain used by e-commerce merchants to load various libraries, analytics, or security seals. Attacks consist of compromising a third-party supplier and affecting hundreds or even thousands of websites downstream.
In a September 2018 blog, we wrote about a trust seal that was loaded (with its malicious code) by a large number of merchants. A trust seal is essentially a confidence indicator in the shape of a badge that gives shoppers reassurance that the online store is safe and malware-free.
The skimmer script belonging to Magecart Group 5 was largely obfuscated and set to exfiltrate data, such as name, address, credit card number, expiry date, and CVV back to the criminals every time someone made a purchase on one of the compromised stores.
This kind of supply-chain attack, where thousands of stores are loading altered code, have a much higher return than individually targeting stores.
Bulletproof registrar and Magecart
We spent some time digging into a number of Magecart domains registered via the well-known Chinese registrar BIZCN/CNOBIN. Similar to our research on the bulletproof host in Eastern Ukraine, we looked at how this provider was essentially a bulletproof registrar. Previous activity on BIZCN includes rogue Canadian pharmacy websites in addition to exploit kit activity tagged as the “AfraidGate.”
We narrowed down the domains to a smaller subset previously identified as used by Magecart Group 5. The threat actors registered the domain informaer under eight different top-level domains (TLDs) using privacy protection services (see IOCs for full list). However, they may have forgotten to apply the same to informaer.info, which revealed the following:
Domain Name: INFORMAER.INFO
Registrar URL: http://www.bizcn.com
Updated Date: 2017-02-27T08:35:38Z
Creation Date: 2017-02-21T12:48:51Z
Registry Expiry Date: 2018-02-21T12:48:51Z
Registrar: Bizcn.com, Inc.
Registrant Name: Guo Tang
Registrant Organization: Xinxin Co.
Registrant Street: Dazhongsi 13
Registrant City: Beijing
Registrant State/Province: Haidian
Registrant Postal Code: 101402
Registrant Country: CN
Registrant Phone: +86.1066569215
Registrant Fax: +86.1066549216
Registrant Email: firstname.lastname@example.org
Connection with Dridex malware and Carbanak Group
If we pivot from this email address, we can identify other domains—in particular, several that connect to Dridex phishing campaigns.
Dridex is a robust banking Trojan that has been around for many years. To this day, it continues to be distributed via malicious spam campaigns using fake invoices.
Looking closer at the email@example.com email address, we can see that it was used to register domains used into the following Dridex phishing campaigns:
- corporatefaxsolutions.com (Corporate efax campaign targeting Germans)
- onenewpost.com (OnePosting phish pushing Dridex)
- xeronet.org (Xero phish pushing Dridex)
Carbanak is a sophisticated threat group targeting banks and using a backdoor of the same name for espionage and data exfiltration. In a 2017 blog post, the Swiss CERT posted about phishing campaigns where Dridex was used to deliver the Carbanak malware.
During our incident response in 2016, we could identify Dridex to be the initial infection vector, which had arrived in the victim’s mailbox by malicious Office Word documents, and uncovered the installation of a sophisticated malware called Carbanak, used by the attacker for lateral movement and conducting the actual fraud.
A diagram from Swiss CERT also shows how the Dridex loader does some victim triaging to either deliver Dridex proper (for consumers or low interest targets) or Carbanak for companies and high-value targets.
Another interesting data point from the informaer.info registrant details is the phone number. (+86.1066569215) is mentioned by Brian Krebs in a blog post examining connections between a Russian security firm and the Carbanak group.
As Magecart activity increases and new groups emerge, it can sometimes be helpful to go back in time to examine bread crumbs that may have been left behind.
Victimology also helps us to get a better idea of the threat actor behind attacks. For instance, we see many compromises that affect a small subset of merchants that are probably tied to less sophisticated criminals, often using a simple skimmer or a kit.
In contrast, we believe that the bigger breaches that reel in a much larger prize are conducted by advanced threat groups with previous experience in the field and with well-established ties within the criminal underground.
Indicators of Compromise
Magecart Group 5 domains
Domains used in Dridex phishing campaign