Researchers Find Connections Between Magecart Group 4 and Cobalt Group

• Magecart Group 4 is likely conducting server-side skimming in addition to client-side activity.
• After analyzing Cobalt Group’s previous campaign domains, the researchers were able to link Cobalt Group campaigns to the Magecart domains.

Researchers from Malwarebytes and HYAS Threat Intelligence teams have found connections between Magecart Group 4 and Cobalt Group.

Key findings

Researchers also determined that Magecart Group 4 is likely conducting server-side skimming in addition to client-side activity.

• While examining Magecart Group 4’s infrastructure, researchers identified a PHP script that was served as JavaScript.
• This script scans for certain keywords associated with a financial transaction and then sends the request and cookie data to the exfiltration server at secureqbrowser[.]com.
• Both the client-side and server-side skimmer domains were found to be registered to robertbalbarran@protonmail[.]com. Typically, email addresses used to register Magecart Group 4 domains contain a [first name], [initial], and [last name].
• After analyzing Cobalt Group’s previous campaign domains, the researchers were able to link Cobalt Group campaigns to the Magecart domains.

“Given the use of privacy services for all the domains in question, it is highly unlikely that this naming convention would be known to any other actor besides those who registered both the Cobalt Group and Magecart infrastructure. In addition, further investigation revealed that regardless of the email provider used, 10 of the seemingly separate accounts reused only two different IP addresses, even over weeks and months between registrations,” researchers noted.