Possible link between Magecart group & Cerberus Banking Trojan C2

Magecart JS Web Skimmer is present on the same C2 related to Cerberus Banking Trojan.

Magecart Web Skimmer:

My analysis started from a Web skimmer that is impersonating sucuri.net hosted on hxxps://sucurl.net/cdn/au.js

The script is still there: https://urlscan.io/result/db8a149a-75c2-414d-a89e-b991e7a3689b

VT Link: https://www.virustotal.com/gui/url/4cb3929b940c89bfe3829365f907851245bf950152436e47467266a09e6c76d9/details

As you can see the IP that resolves this domain is: 161.117.236[.]58

Here you can find the content of the Script and the VT results:

https://www.virustotal.com/gui/file/d5406c15634a5d6dcb298abd86e8438890b83db73dc52e1d12d3efea453cc1f5/content/strings

VT Results about sucurl.net domain:

https://www.virustotal.com/gui/domain/sucurl.net/details

Analyzing the content and the script we can say that this JS is a Web Skimmer with a high confidence relation with Magecart group.

CERBERUS Banking Trojan Malware:

The analysis started from the following malicious APK hosted on:

APK Download Link: https[:]//bizbizeyeteriz20gb.com/paket20gb.apk

VT Link: https://www.virustotal.com/gui/url/42c94331df719c9c69153b7c277037c8defc2173bdb5dc87aa863db2221419b7/relations

Analyzing the detection and the code we can say with a high confidence that this is a famous Cerberus Banking Trojan Malware:

APK VT Link: https://www.virustotal.com/gui/file/f2712d1ccadb309f2b482fd2f7118be4707423f8374dd9dfa56dcdda60819ad4/detection

The C2 of this APK is xancc4fp.online.

VT Domain Link: https://www.virustotal.com/gui/domain/xancc4fp.online/details

As you can see the IP that resolves this domain is: 161.117.236[.]58 — the same of the Web Skimmer domain.

IP Analysis:

Now let’s analyze the IP that we found to be in common between the two groups.

https://www.virustotal.com/gui/ip-address/161.117.236.58/relations

As you can see under Passive DNS Replication you can find our securl.net fake domain and also xancc4fp.online

Up to this point it seems that that IP was shared by the two groups for two distinct attacks. So the question is … is there really a link between Magecart and Cerberus groups?

Additional investigation on malware served by involved IP:

Here the downloaded files from VT:

https://www.virustotal.com/gui/ip-address/161.117.236.58/relations

Let’s start with Randco.js:

VT Detections:

https://www.virustotal.com/gui/file/9586fd5c774ae0c7fce91f58cb4e11390826f683e26b3df7b2da9eb33312e875/detection

Content of the JS:

https://www.virustotal.com/gui/file/9586fd5c774ae0c7fce91f58cb4e11390826f683e26b3df7b2da9eb33312e875/content/strings

URL Scan Analysis: https://urlscan.io/result/153d5951-f857-4e6f-9319-2f17b647a3ca

Looking at the content of the JS it has similarities with the Magecart JS analyzed above. So another confirmation of the IP abuse for Web Skimmers.

During the middle of March 2020 this ip hosted other files. In this case those files seems related to Dridex:

Here the files list:

Sample Links:

1analyze.intezer.com234567

In the past Magecart group has been linked to Carbanak APT via Dridex matches:

https://www.zdnet.com/article/magecart-group-linked-to-dridex-banking-trojan-carbanak/

https://blog.malwarebytes.com/threat-analysis/2019/10/the-forgotten-domain-exploring-a-link-between-magecart-group-5-and-the-carbanak-apt/

https://blog.malwarebytes.com/threat-analysis/2019/10/magecart-group-4-a-link-with-cobalt-group/

at this point the mystery deepens even more and the question to be answered is:

Could this C2 be used by multiple Threat Actors for various purposes? How do Cerberus, Magecart and Dridex connect?

Let me know in the comments and contact me on Twitter if you have any other information to share.

Thanks to https://twitter.com/500mk500 for the first hint and to https://twitter.com/W3B_B3ND3R for the suggestion to investigate.

Follow me here: