Magecart Group Linked to Dridex and Carbanak Malware

Written by

Security researchers have discovered close links between a digital skimming group, Dridex phishing campaigns and the notorious Carbanak malware.

Malwarebytes researchers Jérôme Segura, William Tsing, and Adam Thomas examined WHOIS data prior to GDPR taking effect to uncover those behind Magecart Group 5, they revealed in a new blog post.

Unlike many others using the notorious skimming code, the group usually attacks supply chain organizations with the hope of infecting many more websites and their customers.

Although it usually registers domains to support its activity using privacy protection services, the group appears to have made a mistake when it registered with Chinese bulletproof hoster BIZCN/CNOBIN.

The researchers’ digging revealed the name “Guo Tang,” a Beijing-based address and phone number, and a email address.

The latter has been used to register multiple domains used in phishing campaigns designed to deliver notorious banking trojan Dridex, including an efax attack on German users, and others spoofing the OnePosting and Xero brands, Malwarebytes revealed.

They also cited research by the Swiss CERT which claimed Dridex has in the past been used to deliver the Carbanak info-stealing malware.

The phone number from Magecart Group 5’s registrant information has also been linked to Carbanak group, a cybercrime operation thought to have stole hundreds of millions of dollars from global banks.

“Victimology helps us to get a better idea of the threat actor behind attacks. For instance, we see many compromises that affect a small subset of merchants that are probably tied to less sophisticated criminals, often using a simple skimmer or a kit,” concluded Malwarebytes.

“In contrast, we believe that the bigger breaches that reel in a much larger prize are conducted by advanced threat groups with previous experience in the field and with well-established ties within the criminal underground.”

What’s hot on Infosecurity Magazine?