{"id":16655,"date":"2019-10-22T08:10:04","date_gmt":"2019-10-22T16:10:04","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2019\/10\/22\/news-10394\/"},"modified":"2019-10-22T08:10:04","modified_gmt":"2019-10-22T16:10:04","slug":"news-10394","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2019\/10\/22\/news-10394\/","title":{"rendered":"The forgotten domain: Exploring a link between Magecart Group 5 and the Carbanak APT"},"content":{"rendered":"

Credit to Author: Threat Intelligence Team| Date: Tue, 22 Oct 2019 15:00:00 +0000<\/strong><\/p>\n

This blog post was authored by J\u00e9r\u00f4me Segura, William Tsing, and Adam Thomas.<\/em><\/p>\n

In a previous post<\/a>, we described the possible overlap between certain domains registered by Magecart Group 4 and the Cobalt gang. While attribution is always a difficult endeavor, sharing TTPs can help others to connect the dots between campaigns observed in the wild and threat groups.<\/p>\n

This time, we looked at Magecart Group 5 by examining a number of domains and their ties with other malicious activity. The data predates changes on whois (before GDPR<\/a> took effect) and allows us to identify registrant data that is connected to Dridex phishing campaigns and the Carbanak group.<\/p>\n

Magecart Group 5 tactics<\/h3>\n

With some exceptions, such as the Ticketmaster breach<\/a>, Group 5 has a different modus operandi; it targets the supply chain used by e-commerce merchants to load various libraries, analytics, or security seals. Attacks consist of compromising a third-party supplier and affecting hundreds or even thousands of websites downstream.<\/p>\n

In a September 2018 blog<\/a>, we wrote about a trust seal that was loaded (with its malicious code) by a large number of merchants. A trust seal is essentially a confidence indicator in the shape of a badge that gives shoppers reassurance that the online store is safe and malware-free.<\/p>\n

The skimmer script belonging to Magecart Group 5 was largely obfuscated and set to exfiltrate data, such as name, address, credit card number, expiry date, and CVV back to the criminals every time someone made a purchase on one of the compromised stores.<\/p>\n

\"\"<\/figure>\n

This kind of supply-chain attack, where thousands of stores are loading altered code, have a much higher return than individually targeting stores.<\/p>\n

Bulletproof registrar and Magecart<\/h3>\n

We spent some time digging into a number of Magecart domains registered via the well-known Chinese registrar BIZCN\/CNOBIN. Similar to our research on the bulletproof host in Eastern Ukraine<\/a>, we looked at how this provider was essentially a bulletproof registrar. Previous activity on BIZCN includes rogue Canadian pharmacy websites<\/a> in addition to exploit kit activity<\/a> tagged as the “AfraidGate<\/a>.”<\/p>\n

We narrowed down the domains to a smaller subset previously identified<\/a> as used by Magecart Group 5. The threat actors registered the domain informaer<\/em> under eight different top-level domains (TLDs<\/a>) using privacy protection services (see IOCs for full list). However, they may have forgotten to apply the same to informaer.info, which revealed the following:<\/p>\n

Domain Name: INFORMAER.INFO
Registrar URL: http:\/\/www.bizcn.com
Updated Date: 2017-02-27T08:35:38Z
Creation Date: 2017-02-21T12:48:51Z
Registry Expiry Date: 2018-02-21T12:48:51Z
Registrar: Bizcn.com, Inc.
Registrant Name: Guo Tang
Registrant Organization: Xinxin Co.
Registrant Street: Dazhongsi 13
Registrant City: Beijing
Registrant State\/Province: Haidian
Registrant Postal Code: 101402
Registrant Country: CN
Registrant Phone: +86.1066569215
Registrant Fax: +86.1066549216
Registrant Email: guotang323@yahoo.com<\/pre>\n
Connection with Dridex malware and Carbanak Group<\/h3>\n
If we pivot from this email address, we can identify other domains\u2014in particular, several that connect to Dridex phishing campaigns.<\/p>\n
\"\"<\/a><\/figure>\n
Dridex<\/a> is a robust banking Trojan that has been around for many years. To this day, it continues to be distributed via malicious spam campaigns using fake invoices.<\/p>\n
Looking closer at the guotang323@yahoo.com email address, we can see that it was used to register domains used into the following Dridex phishing campaigns:<\/p>\n