Researchers have found links between one of the groups operating under Magecart umbrella and the Dridex phishing campaigns and the activities of Carbanak, infamous cybercriminal group focused on targeting banks with the eponymous backdoor for espionage and data exfiltration. The group in question is the Magecart 5, which is considered to be one of the most active and sophisticated gangs.
Magecart is the term used to describe several different credit-card skimming cybercriminal groups that employ malicious JavaScript in order to steal the data that shoppers enter into online payment forms, typically on checkout pages. Differently from other groups, Magecart 5 specifically targets the supply-chain used by e-commerce platforms to load various libraries, analytics, or security seals.
Malwarebytes researchers examined a number of Magecart 5 associated domains and for those registered prior to GDPR's implementation identified the registrant connected to Dridex phishing campaigns and the Carbanak group. The analyzed domains were registered via the well-known Chinese registrar BIZCN/CNOBIN. The researchers discovered that threat actors registered the domain informaer under eight different top-level domains using privacy protection services, but they have forgotten to apply the same to informaer.info. This oversight allowed the researchers to take a look at the site’s registry data, which included name, address, contact information and more – all of which pointed to operators in Beijing. Based on the obtained email address the experts have identified several domains linked to Dridex phishing campaigns.
Dridex is a robust banking trojan that has been around for many years and continues to be distributed via malicious spam campaigns using fake invoices.
The guotang323@yahoo.com email address was used to register domains known to be used in previous Dridex campaigns, including a corporate eFax campaign targeting Germans and two phishing campaigns spoofing the OnePosting and Xero accounting services.
“During our incident response in 2016, we could identify Dridex to be the initial infection vector, which had arrived in the victim’s mailbox by malicious Office Word documents, and uncovered the installation of a sophisticated malware called Carbanak, used by the attacker for lateral movement and conducting the actual fraud,” the researchers noted.
One of the interesting findings is the phone number in the informaer.info registrant details that was previously mentioned in Brian Krebs’ blog post detailing connections between a Russian security firm and the Carbanak group.
“As Magecart activity increases and new groups emerge, it can sometimes be helpful to go back in time in order to examine bread crumbs that may have been left behind,” researchers said.
