Cobalt/Magecart: Joint research from Malwarebytes Labs and HYAS discovered multiple different similarities between the Cobalt group and Magecart Group 4(MG4). Cobalt is known for victimizing banks via spear-phishing campaigns, creating a foothold into their networks, and sending money mules to collect cash at ATMs that they compromise around the globe. Based on similarities in the account naming pattern, duplicate email services, using the same domain registrars and the same privacy protections being used by MG4 and Cobalt, researchers were able to link the two groups and believe they may be the same. Researchers found that due to the privacy services that are in place, it is unlikely that the naming convention that is being used would be known by any other threat actors, leading researchers to believe that they had to be registered by the same threat actor. Upon searching datasets, Hyas was able to find that an email address that was used to register Magecart domains was also used to carry out a spear-phishing campaign through Word documents, which is primarily what Cobalt is known for. The email address was also used to register domain names similar to ones that Cobalt has used in the past. What separates Cobalt/MG4 from other Magecart skimmers is that standard Magecart attacks are seen being client-side, using malicious JavaScript loaded in a browser, but in the case of Cobalt/MG4, it was recognized that they are carrying out server-side skimming. This technique uses a PHP script that intercepts and exfiltrates data directly at the web application level when the data is being processed. This type of skimming is much harder to detect because it is not visible on the browser or website scanners, leaving their victims unaware that it is occurring. MG4 made the mistake of serving the PHP script like a JavaScript file, allowing the contents to be indexed and subsequently analyzed by researchers.
Analyst Notes
Cobalt Group is a financially-motivated cyber gang, previously known as Carbanak, and this shift in their attacks is consistent with financial motivation. Server-side skimming makes it harder for researchers to detect the attack, and Cobalt is known for being a more sophisticated group, which is likely why they went with the server-side rather than client-side skimming. If Cobalt Group has shifted more resources toward theft of payment card data, it may signal that their direct attacks against banks have been less financially successful recently. The group may have enough faith in their ability to hide that they did not care if they were linked in the attack, allowing them to re-use resources, making it easier on themselves. Previously FIN6 was also linked to being part of some other Magecart attacks. There is no reason at this time to believe that FIN6 and Cobalt Group are linked.
