skip to Main Content

Cybercrime, Cobalt and Magecart 4 (MG4) could be linked

Cybercrime, Cobalt And Magecart 4 (MG4) Could Be Linked

A joint analysis by Malwarebytes and HYAS shows links between Cobalt and Magecart 4 (MG4) cybercrime groups

Cobalt group (aka Carbanak) and Magecart-based web skimming attacks could be linked. It has been discovered by Malwarebytes and HYAS cyber security experts. A joint report found significant similarities between the registration information for domain names used in their infrastructure by Cobalt and another actor dubbed Magecart Group 4 (MG4). In particular, both cybercrime groups used same email account naming pattern, email services, domain registrars and privacy protection services. “Given the use of privacy services for all the domains in question, it is highly unlikely that this naming convention would be known to any other actor than the actors who registered both the Cobalt Group and Magecart infrastructure,” the researchers said in a report. “In addition, further investigation revealed that regardless of the email provider used, ten of the seemingly separate accounts reused only two different IP addresses, even over weeks and months between registrations.”

The Mg4 TTPs according to the cyber security experts

According to the cyber security experts, Magecart Group 4 is described as advanced and uses techniques to blend in with normal traffic. For instance, it will register domain names that appear to be tied to advertisers or analytic providers. Another interesting aspect from the report is that Group 4 is suspected to have had a history in banking malware. One of cybercrime’s original skimmers was concealed as the jquery.mask.js plugin. The malicious code is appended at the end of the script and uses some layers of obfuscation. The hex-encoded data converts to Base64, which can be translated into standard text to reveal skimmer activity and an exfiltration gate. Researchers identified also a PHP script that was perhaps mistakenly served as JavaScript instead. This little code snippet looks for certain keywords associated with a financial transaction and then sends the request and cookie data to the exfiltration server.

The Cobalt TTPs show similarities wit Magecart ones

Cobalt Group emerged in 2016 with “jackpotting” attacks against financial institutions in Europe, which reportedly netted the group over $3 million. Since that time, they have purportedly amassed over a billion dollars from global institutions, evolving their TTPs as they go. While changing tactics as they have evolved, an identifiable pattern in email naming conventions historically used by cybercrime group allowed HYAS to not only identify previous campaign domains, but helped link Cobalt Group campaigns to the Magecart domains. Given the use of privacy services for all the domains in question, it is highly unlikely that this naming convention would be known to any other actor besides those who registered both the Cobalt Group and Magecart infrastructure. In addition, further investigation revealed that regardless of the email provider used, 10 of the seemingly separate accounts reused only two different IP addresses, even over weeks and months between registrations.

Back To Top