Note: This blog post is a collaboration between the Malwarebytes and HYAS Threat Intelligence teams.
Classifying Magecart threat actors is not an easy task due to the diversity of skimmers and their reuse. The effort of attributing Magecart to ‘groups’ started with RiskIQ and Flashpoint’s comprehensive Inside Magecart report released in the fall of 2018, followed by Group-IB several months later.
Much more recently, information about actual threat actors behind groups has come forward, for example IBM publicly identified Group 6 as being FIN6. This is interesting on many levels because it reinforces the idea that existing threat groups have been leveraging their past experiences to apply it to theft in the e-commerce field.
One group that has caught our interest is Group 4, which is one of the more advanced ones. While working jointly with the threat intelligence team at Malwarebytes, we found some interesting patterns in the email addresses used to register domains belonging to Magecart matching those of a sophisticated threat group known as “Cobalt Group” (aka Cobalt Gang, Cobalt Spider).
Magecart Group 4
In the Inside Magecart report, Group 4 is described as advanced and uses techniques to blend in with normal traffic. For instance, it will register domain names that appear to be tied to advertisers or analytic providers (see IOCs for Cobalt Group domains identified using this TTP and naming convention). Another interesting aspect from the report is Group 4 is suspected to have have a past history in banking malware.
One of Group 4’s original skimmers was concealed as the jquery.mask.js plugin. The malicious code is appended at the end of the script and uses some layers of obfuscation. The hex encoded data converts to Base64, which can be translated into standard text to reveal skimmer activity and an exfiltration gate.
This little code snippet looks for certain keywords associated with a financial transaction and then sends the request data and cookie data to the exfiltration server at secureqbrowser.com. An almost exact copy of this script was described by Denis Sinegubko of Sucuri in his post Autoloaded Server-Side Swiper.
Connections between email registrants (and exfiltration gates)
Both the client-side and server-side skimmer domains illustrated above (bootstraproxy.com and s3-us-west.com) are registered to email@example.com. They are listed by RiskIQ under Magecart Group 4: Never gone, simply advancing IOCS.
By checking their exfiltration gates (secure.upgradenstore.com and secureqbrowser.com) we can connect them to other registrant emails and see a pattern emerge.
Email addresses used to register Magecart domains belonging to Magecart Group 4 contain a [first name], [initial] and [last name]. Expanding our search to other domains used by Group 4 and searching through HYAS’ Comox data set, we can see this trend continues:
About Cobalt Group
Cobalt Group (aka Cobalt Gang, Cobalt Spider) came to the forefront of public attention in the summer of 2016 with their “jackpotting” attacks against financial institutions in Europe, which reportedly netted the group over $3 million dollars. Since that time, they have purportedly amassed over a billion dollars from institutions globally in the ensuing years, evolving their tactics, techniques and procedures as they go.
Cobalt Domain Registration and other TTPs
While changing tactics as they have evolved, an identifiable pattern in email naming conventions that Cobalt has used historically allowed HYAS to identify not only identify previous campaign domains, but helped link Cobalt Group campaigns to the Magecart domains identified above.
A small shift from one of their previous conventions of [firstname],[lastname],[fournumbers] (overwhelmingly using protonmail accounts, with a handful of tutanota/keemail.me email accounts) changed to the above noted convention of [firstname],[initial],[lastname] again using the same email services and using the very same registrars, and notably the same use of privacy protection services.
Given the use of privacy services for all the domains in question, it is highly unlikely that this naming convention would be known to any other actor than the actors who registered both the Cobalt Group and Magecart infrastructure. In addition, further investigation revealed that regardless of the email provider used, ten of the seemingly separate accounts reused only two different IP addresses, even over weeks and months between registrations.
One of those emails is firstname.lastname@example.org which was used to register 23 domains, including my1xbet[.]top. This domain was used in a phishing campaign leveraging CVE-2017-0199 with a decoy document called Fraud Transaction.doc.
While we could not identify the original email this came from, the same email@example.com also registered oracle-business[.]com. Similar campaigns against Oracle and various banks have been attributed to Cobalt Group, with for example, the domain oracle-system[.]com.
Based on their historical ties to the space, and the entrance of sophisticated actor groups such as FIN6 and others, it would be logical that Cobalt Group would also enter this field and continue to diversify their criminal efforts against global financial institutions.
The use of both client-side and server-side skimmers and the challenges this poses in identifying Magecart compromises by advanced threat groups necessitates the ongoing work of industry partners to help defend against this significant and growing threat. On that note, the authors of this post would like to recognize the substantial contribution that industry researchers and law enforcement officials are making to help combat groups like Cobalt, and hope that the information contained within adds to this corpus of knowledge, and further strengthens these efforts.
Indicators of Compromise (IOCs)
Registrant emails associated with Magecart Group 4 domains
Registrant emails associated with Cobalt domains
Cobalt domains registered with Magecart email naming convention
Previous FIN7 domains identified through naming conventions