I have recently found a few new domains that are associated with Magecart activity. This article will provide a brief overview of each domain, and will include information about the infected companies.
This is a continuation on the joint analysis of the opendoorcdn domain with Max Kersten. Thanks to an article by RiskIQ we now know that the Magecart sample we were analyzing was related to Magecart Group 12. RiskIQ also identified two more domains related to the group, toplevelstatic[.]com and storefrontcdn[.]com. After hunting through other OSINT sources, several more domains were also found.
In my previous article I went over a joint analysis with Max Kersten about an Olympic ticket reseller website that was infected with a Magecart-like credit card skimmer. This article is a continuation of that, since we have more findings to share. This is also a joint analysis with Max Kersten, you can find his blog here. You can read the original post on this here.
I have recently stumbled across a Magecart infection on an olympic ticket reseller site. This article will contain a brief analysis on the Magecart infection as well as my experience disclosing this information to the company. This is a joint analysis with Max Kersten, whose blog you can find here.
The TA505 group debuted Get2 and SDBot last month in a new phishing campaign. While there have been some great analyses on the SDBot RAT that is dropped, there have not been many on the Get2 downloader. I wanted to take this opportunity to do my own analysis on it. I will not be going over the macro-enabled word document itself, just the DLL that is dropped. There are also two versions of the dll, x86 and x64. This analysis will focus on the x86 version. If you want to follow along you can get the sample from Hybrid Analysis here.