Possible link between Magecart group & Cerberus Banking Trojan C2

Bank Security
4 min readApr 6, 2020

Magecart JS Web Skimmer is present on the same C2 related to Cerberus Banking Trojan.

Magecart Web Skimmer:

My analysis started from a Web skimmer that is impersonating sucuri.net hosted on hxxps://sucurl.net/cdn/au.js

JS content

The script is still there: https://urlscan.io/result/db8a149a-75c2-414d-a89e-b991e7a3689b

VT Link: https://www.virustotal.com/gui/url/4cb3929b940c89bfe3829365f907851245bf950152436e47467266a09e6c76d9/details

VT domain details

As you can see the IP that resolves this domain is: 161.117.236[.]58

Here you can find the content of the Script and the VT results:


JS VT Results

VT Results about sucurl.net domain:


Analyzing the content and the script we can say that this JS is a Web Skimmer with a high confidence relation with Magecart group.

CERBERUS Banking Trojan Malware:

The analysis started from the following malicious APK hosted on:

APK Download Link: https[:]//bizbizeyeteriz20gb.com/paket20gb.apk

fake app download page

VT Link: https://www.virustotal.com/gui/url/42c94331df719c9c69153b7c277037c8defc2173bdb5dc87aa863db2221419b7/relations

Analyzing the detection and the code we can say with a high confidence that this is a famous Cerberus Banking Trojan Malware:

Apk VT results

APK VT Link: https://www.virustotal.com/gui/file/f2712d1ccadb309f2b482fd2f7118be4707423f8374dd9dfa56dcdda60819ad4/detection

The C2 of this APK is xancc4fp.online.

VT Domain Link: https://www.virustotal.com/gui/domain/xancc4fp.online/details

VT xancc4fp.online DNS resolution

As you can see the IP that resolves this domain is: 161.117.236[.]58 — the same of the Web Skimmer domain.

IP Analysis:

Now let’s analyze the IP that we found to be in common between the two groups.


As you can see under Passive DNS Replication you can find our securl.net fake domain and also xancc4fp.online

Passive DNS for the C2 IP on VT

Up to this point it seems that that IP was shared by the two groups for two distinct attacks. So the question is … is there really a link between Magecart and Cerberus groups?

Additional investigation on malware served by involved IP:

Here the downloaded files from VT:


Malicious files hosted on C2

Let’s start with Randco.js:

VT Detections:


Content of the JS:


URL Scan Analysis: https://urlscan.io/result/153d5951-f857-4e6f-9319-2f17b647a3ca

url scan result

Looking at the content of the JS it has similarities with the Magecart JS analyzed above. So another confirmation of the IP abuse for Web Skimmers.

During the middle of March 2020 this ip hosted other files. In this case those files seems related to Dridex:

Here the files list:

Dridex samples hosted on C2

Sample Links:


In the past Magecart group has been linked to Carbanak APT via Dridex matches:




at this point the mystery deepens even more and the question to be answered is:

Could this C2 be used by multiple Threat Actors for various purposes? How do Cerberus, Magecart and Dridex connect?

Let me know in the comments and contact me on Twitter if you have any other information to share.

Thanks to https://twitter.com/500mk500 for the first hint and to https://twitter.com/W3B_B3ND3R for the suggestion to investigate.

Follow me here: