Possible link between Magecart group & Cerberus Banking Trojan C2
Magecart JS Web Skimmer is present on the same C2 related to Cerberus Banking Trojan.
Magecart Web Skimmer:
My analysis started from a Web skimmer that is impersonating sucuri.net hosted on hxxps://sucurl.net/cdn/au.js
The script is still there: https://urlscan.io/result/db8a149a-75c2-414d-a89e-b991e7a3689b
As you can see the IP that resolves this domain is: 161.117.236[.]58
Here you can find the content of the Script and the VT results:
VT Results about sucurl.net domain:
https://www.virustotal.com/gui/domain/sucurl.net/details
Analyzing the content and the script we can say that this JS is a Web Skimmer with a high confidence relation with Magecart group.
CERBERUS Banking Trojan Malware:
The analysis started from the following malicious APK hosted on:
APK Download Link: https[:]//bizbizeyeteriz20gb.com/paket20gb.apk
Analyzing the detection and the code we can say with a high confidence that this is a famous Cerberus Banking Trojan Malware:
APK VT Link: https://www.virustotal.com/gui/file/f2712d1ccadb309f2b482fd2f7118be4707423f8374dd9dfa56dcdda60819ad4/detection
The C2 of this APK is xancc4fp.online.
VT Domain Link: https://www.virustotal.com/gui/domain/xancc4fp.online/details
As you can see the IP that resolves this domain is: 161.117.236[.]58 — the same of the Web Skimmer domain.
IP Analysis:
Now let’s analyze the IP that we found to be in common between the two groups.
https://www.virustotal.com/gui/ip-address/161.117.236.58/relations
- Network: 161.117.0.0/16
- Autonomous System Number: 45102
- Autonomous System Label: Alibaba (US) Technology Co., Ltd.
- Regional Internet Registry: APNIC
- Country: SG
- Continent: AS
As you can see under Passive DNS Replication you can find our securl.net fake domain and also xancc4fp.online
Up to this point it seems that that IP was shared by the two groups for two distinct attacks. So the question is … is there really a link between Magecart and Cerberus groups?
Additional investigation on malware served by involved IP:
Here the downloaded files from VT:
https://www.virustotal.com/gui/ip-address/161.117.236.58/relations
Let’s start with Randco.js:
VT Detections:
Content of the JS:
URL Scan Analysis: https://urlscan.io/result/153d5951-f857-4e6f-9319-2f17b647a3ca
Looking at the content of the JS it has similarities with the Magecart JS analyzed above. So another confirmation of the IP abuse for Web Skimmers.
During the middle of March 2020 this ip hosted other files. In this case those files seems related to Dridex:
Here the files list:
Sample Links:
1 — analyze.intezer.com — 2 — 3 — 4 — 5 — 6 — 7
In the past Magecart group has been linked to Carbanak APT via Dridex matches:
https://www.zdnet.com/article/magecart-group-linked-to-dridex-banking-trojan-carbanak/
https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/
at this point the mystery deepens even more and the question to be answered is:
Could this C2 be used by multiple Threat Actors for various purposes? How do Cerberus, Magecart and Dridex connect?
Let me know in the comments and contact me on Twitter if you have any other information to share.
Thanks to https://twitter.com/500mk500 for the first hint and to https://twitter.com/W3B_B3ND3R for the suggestion to investigate.
Follow me here:
