23 October 2019

Magecart Group 5 linked to Dridex banking Trojan, Carbanak cybercrime gang

Magecart Group 5 linked to Dridex banking Trojan, Carbanak cybercrime gang

Researchers have found links between one of the groups operating under Magecart umbrella and the Dridex phishing campaigns and the activities of Carbanak, infamous cybercriminal group focused on targeting banks with the eponymous backdoor for espionage and data exfiltration. The group in question is the Magecart 5, which is considered to be one of the most active and sophisticated gangs.

Magecart is the term used to describe several different credit-card skimming cybercriminal groups that employ malicious JavaScript in order to steal the data that shoppers enter into online payment forms, typically on checkout pages. Differently from other groups, Magecart 5 specifically targets the supply-chain used by e-commerce platforms to load various libraries, analytics, or security seals.

Malwarebytes researchers examined a number of Magecart 5 associated domains and for those registered prior to GDPR's implementation identified the registrant connected to Dridex phishing campaigns and the Carbanak group. The analyzed domains were registered via the well-known Chinese registrar BIZCN/CNOBIN. The researchers discovered that threat actors registered the domain informaer under eight different top-level domains using privacy protection services, but they have forgotten to apply the same to informaer.info. This oversight allowed the researchers to take a look at the site’s registry data, which included name, address, contact information and more – all of which pointed to operators in Beijing. Based on the obtained email address the experts have identified several domains linked to Dridex phishing campaigns.

Dridex is a robust banking trojan that has been around for many years and continues to be distributed via malicious spam campaigns using fake invoices.

The guotang323@yahoo.com email address was used to register domains known to be used in previous Dridex campaigns, including a corporate eFax campaign targeting Germans and two phishing campaigns spoofing the OnePosting and Xero accounting services.

“During our incident response in 2016, we could identify Dridex to be the initial infection vector, which had arrived in the victim’s mailbox by malicious Office Word documents, and uncovered the installation of a sophisticated malware called Carbanak, used by the attacker for lateral movement and conducting the actual fraud,” the researchers noted.

One of the interesting findings is the phone number in the informaer.info registrant details that was previously mentioned in Brian Krebs’ blog post detailing connections between a Russian security firm and the Carbanak group.

“As Magecart activity increases and new groups emerge, it can sometimes be helpful to go back in time in order to examine bread crumbs that may have been left behind,” researchers said.

Back to the list

Latest Posts

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

The TA2101 gang used malicious emails to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware.
15 November 2019
APT33 hackers set up their own VPN network to thwart tracking

APT33 hackers set up their own VPN network to thwart tracking

APT33 used its private VPN network for reconnaissance of networks that are relevant to the supply chain of the oil industry.
14 November 2019
New unusual ransomware is hunting for enterprise servers

New unusual ransomware is hunting for enterprise servers

New PureLocker ransomware seems to have links to the malware provider used by Cobalt and FIN6 hacking groups.
13 November 2019
Featured vulnerabilities
Debian update for postgresql-common
Low Patched | 15 Nov, 2019
Cross-site scripting in Pimcore
Low Patched | 15 Nov, 2019
Multiple vulnerabilities in Pimcore
Medium Patched | 15 Nov, 2019