Cobalt Hackers Linked Magecart Team

Security researchers were able to connect one of the Magecart hacking groups with the notorious threat actor known as the Cobalt Group.

Magecart hackers entered the spotlight last year, following the high-profile infringements at Ticketmaster, British Airways and Newegg, but were active for at least a decade, says RiskIQ.

There are many groups operating under the Magecart umbrella, with the network flooding the Internet, explains RiskIQ in a new report that identifies dozens of known groups and over 570 domains of command and control (C&C).

Nevertheless, a recent study by security researchers from Malwarebytes and HYAS Threat Intelligence shows that some of these groups seem to be connected to more influential threat actors.

While Magecart Group 6 has previously been associated with FIN6 hackers, Malwarebytes and HYAS have now exposed connections between Group 4 and the Cobalt Gang, including similarities in the email addresses used for domain registration.

However, the researchers clarify that Group 4 performs customer and database skimming, separating it from most of the Magecart groups that cover the former.

One of the client-side skimmers of Group 4 were concealed within the jquery.mask.js plugin and added at the end of the file. The skimmer also had some shielding surfaces.

A server-side skimmer was incorrectly used as a JavaScript by a PHP script. The software was designed to find certain keywords related to financial transactions and send the application and cookie data to the database of the attacker.

The domains were registered in both cases on robertbalbarran(at)protonmail.com and reported by RiskIQ previously.

In view of their exfiltration gates, Malwarebytes and HYAS were, however, able to connect them to other registrant addresses, and recognise the pattern.

This is the same strategy that has been used by the Cobalt Group not to mention that in both cases the same e-mail service, registrars and privacy services are used. Furthermore, 10 of the accounts exchanged two IP addresses, also months apart, irrespective of the email provider.

One email address, petersmelanie(at)protonmail.com, was used for the registration of 23 domains, including a website for a CVE-2017-0199 phishing project, and a platform for Oracle clients.

“Based on their historical links to space and on the entry of advanced stakeholder groups like FIN6 and others, it is logical to conclude that the Cobalt Group would also be active in this area and would seek to diversify its criminal activities toward global financial institutions,” says Malwarebytes.

RiskIQ records to date a total of 2,086,529 Magecart observations. The fast growing Cyber Crime syndicate consisting of hundreds of subgroups uses various methods for attacking and manipulating misconfigured Amazon S3 buckets and Magento pages.

Businesses need an average of 22 days to find out and fix the Magecart agreement and, due to the lack of exposure organisations, most violations last years have no Web-facing tools.

“In many cases, the victims don’t know if the JavaScript has modified on their website so that the malicious code persists forever. Companies need to continue to focus on transparency of their network attack surfaces, as well as growing monitoring of third-party resources in their web applications, “reports RiskIQ.