Blog

Labs

Labs Analyst

What a Custom OceanLotus SSL Certificate Can Tell Us About Their Windows C2 Operations

Ocean Lotus, or APT32, is a now-notorious threat group active since 2014, best known for its relentless malware attacks and spy campaigns against Southeast Asian governments, dissidents, and journalists worldwide.

While investigating previously reported OceanLotus activity, RiskIQ analysts came across a unique SSL certificate associated with the espionage group's infrastructure. Unique to them, the SSL correlated with more than 70 IP addresses since 2017, a connection that earlier this month helped reporters from German Publications BR24 and Zeit Online track Ocean Lotus activity across Europe.

Further analysis of this custom certificate and its associated IP addresses led us to conclude that it is part of the infrastructure OceanLotus uses to deploy Windows-based malware. Based on RiskIQ's first observation of the SSL certificate in our Internet Intelligence Graph, which links together infrastructure across the entire web, the group has been using this certificate since at least February 27, 2020, and continues to use it today.

Continue Reading
External Threat Management Labs

An Indicator From Twitter Brings The Donot Android Espionage Group Back Into Focus

The Donot APT group (APT-C-35) is an espionage group that focuses its attacks on Pakistan and other South Asian government agencies. One of their hallmarks has been using customized malicious Android APKs to spy on their targets of interest and steal sensitive information. Not much has been released about the group recently, but a recent investigation by RiskIQ has uncovered large swaths of its existing and past mobile C2 infrastructure. These attackers are constantly redeveloping and redeploying tools even though their activity levels may appear to taper off.

Donot has kept mostly quiet for the past year with hardly any new open-source intelligence on them published by the security community. However, on May 31 and then again on June 1, two new malware samples linked to the group surfaced on Twitter. These samples were all RiskIQ needed to leverage our Internet Intelligence Graph to build an update around this well-known APT's most recent activity and malware distribution framework. 

Continue Reading
External Threat Management Labs

Just How Much Threat Activity Can You Link Together With a Cookie?

In part one of 'Adventures in Cookie Land', our researchers linked a cookie to a trove of new threat activity. In part two, we see just how far we can take this single indicator.

Continue Reading
External Threat Management Labs

Inter: The Magecart Skimming Tool Now on More than 1,500 Sites

Digital web skimming attacks continue to increase. By now, anyone running an e-commerce shop is aware of the dangers of groups like Magecart, which infect a website every 16 minutes

However, to truly understand these skimmer groups, you have to understand the tools of the trade. The Inter Skimmer kit is one of today's most common and widely used digital skimming solutions globally. It has been involved in some of the most high-profile magecart attacks to date, most notably Group 7's breach of the Nutribullet website

RiskIQ has identified more than 1,500 sites compromised by the Inter skimmer, but the data theft tool is still misunderstood by those tasked with defending their organization against it. To demystify Inter, RiskIQ tapped our unmatched body of research into Magecart and its dozens of groups, open-source intelligence (OSINT), and our global internet telemetry. 

Continue Reading
Labs Analyst

Misconfigured Amazon S3 Buckets Continue to be a Launchpad for Malicious Code

Ocean Lotus, or APT32, is a now-notorious threat group active since 2014, best known for its relentless malware attacks and spy campaigns against Southeast Asian governments, dissidents, and journalists worldwide.

While investigating previously reported OceanLotus activity, RiskIQ analysts came across a unique SSL certificate associated with the espionage group's infrastructure. Unique to them, the SSL correlated with more than 70 IP addresses since 2017, a connection that earlier this month helped reporters from German Publications BR24 and Zeit Online track Ocean Lotus activity across Europe.

Further analysis of this custom certificate and its associated IP addresses led us to conclude that it is part of the infrastructure OceanLotus uses to deploy Windows-based malware. Based on RiskIQ's first observation of the SSL certificate in our Internet Intelligence Graph, which links together infrastructure across the entire web, the group has been using this certificate since at least February 27, 2020, and continues to use it today.

Continue Reading
Labs Magecart

MakeFrame: Magecart Group 7’s Latest Skimmer

At RiskIQ, we track many different Magecart groups. We continually observe evolutions in the techniques they employ to skim card data and obfuscate the code that they use for that purpose. These skimmers are becoming increasingly capable, fulfilling a variety of functions to optimize the work of the operators that deploy them. 

On January 24th, we first became aware of a new Magecart skimmer, which we dubbed MakeFrame after its ability to make iframes for skimming payment data. We initially flagged it with our machine learning model for detecting obfuscated code. 

Since then, we have captured several different versions of the skimmer, each sporting various levels of obfuscation, from dev versions in clear code to finalized versions using encrypted obfuscation. So far, RiskIQ has observed MakeFrame on 19 different victim sites. 

In some cases, we've seen MakeFrame using compromised sites for all three of its functions—hosting the skimming code itself, loading the skimmer on other compromised websites, and exfiltrating the stolen data. There are several elements of the MakeFrame skimmer that are familiar to us, but it's this technique in particular that reminds us of Magecart Group 7.

The following is our analysis of this unique skimmer and the process we followed to attribute this skimmer to Magecart Group 7.

Continue Reading
Labs Magecart

Magecart Group 8 Blends into NutriBullet.com Adding To Their Growing List of Victims

On Thursday, February 20th, around 3 pm GMT, criminals RiskIQ identifies as Magecart Group 8 placed a JavaScript skimmer on the international website for blender manufacturer NutriBullet, nutribullet.com. Our systems caught the cyber attack as it happened and continue to detect new developments.

After multiple attempts to contact NutriBullet and receiving no response*, RiskIQ decided to initiate the takedown of the attacker exfiltration domain with the help of AbuseCH and ShadowServer. Group 8 operators were using this domain to receive stolen credit card information, and its takedown prevented there being new victims.

On March 1st, we observed the skimmer had been removed, but on March 5th, around 7 pm GMT, the cyber attackers placed a new skimmer on the NutriBullet website. We again scrambled to get the infrastructure neutralized. Unfortunately, the criminals still have access to NutriBullet's infrastructure and can continue to replace the skimmer domain in the code to make it work again. Again on March 10th, the cyber attackers were back with another skimmer in yet another script on the NutriBullet website. Until NutriBullet acknowledges our outreach and performs a cleanup, we highly advise against making any purchases on the site as customer data is endangered.

As with all breaches, RiskIQ’s technology and researchers will continue to keep a close eye on the breach and work to take down any additional domains stood up by the criminals. 

The First Skimmer

Continue Reading
Labs Magecart

Magecart Group 12’s Latest: Actors Behind Cyberattacks on Olympics Ticket Re-sellers Deftly Swapped Domains to Continue Campaign

A recent blog post by Jacob Pimental and Max Kersten highlighted Magecart activity targeting ticket re-selling websites for the 2020 Olympics and EUFA Euro 2020, olympictickets2020.com and eurotickets2020.com respectively. These sites were compromised by a skimmer using the domain opendoorcdn.com for data exfiltration. With RiskIQ data, our researchers built on the previous reporting to identify more skimming domains used by the attackers, as well as additional compromised sites. RiskIQ can also now attribute all these cyberattacks to Magecart Group 12. 

The obfuscation and skimming code we observed on opendoorcdn.com matches that used by Magecart Group 12, whose skimmer and obfuscation techniques we analyzed in our blog posts, "New Year, Same Magecart: The Continuation of Web-based Supply Chain Attacks" and "Magento Attack: All Payment Platforms are Targets for Magecart Attacks." However, there are differences in the techniques employed by Group 12 in these more recent compromises, which we'll break down here.

In those blog posts, we noted that Group 12 employed base64 encoded checks against the URL looking for the word "checkout" to identify the proper page on which to load their skimmer code. This encoding masked both the check itself and the skimmer URL. Quoting from our May 1st, 2019 report:

"Most of Group 12's injections occur with a pre-filter on the page—a small snippet of JavaScript that checks to see if they want to inject their skimmer on the page. Here's what it looks like:"

Magecart Group 12's script tag from RiskIQ's May report

Continue Reading
Labs

Full(z) House: A Digital Crime Group Using a Full Deck to Maximize Profits

RiskIQ continuously investigates incidents of digital crime as we observe them on the web. Monitoring changes to crime groups and the evolution of their tactics is essential to continue to detect them effectively and stay ahead of the bad guys. With Magecart, we followed the crime syndicate's first group and carefully analyzed its skimming code. As new Magecart groups materialized with unique code and tactics, we built on our Magecart base knowledge to get better and better at detecting Magecart and other forms of web skimming.

In this article, we will discuss our insights into a criminal group that maximizes their profit by working in two ecosystems that are typically distinct: phishing and web skimming. By leveraging a tactic with which they had tons of experience, phishing, they could double-dip into one with which they had less expertise, web skimming.

By combining tactics, this group was playing with a full deck when it came to stealing financial data—introducing Full(z) House.

Here, Malwarebytes published an article highlighting a small piece of this group's activity in card skimming.

Introduction

Continue Reading