The same threat actors may be behind both the ATMZOW JS sniffer campaign and the Hancitor malware downloader.
The connection was made early this week by threat intelligence analyst Victor Okorokov from Group-IB, who said ATMZOW successfully infected at least 483 websites across four continents since the beginning of 2019.
“Group-IB specialists collected information about ATMZOW’s recent activity and found ties with a phishing campaign targeting clients of a US bank based on the same JS obfuscation technique,” Okorokov wrote.
For context, when Group-IB first detected the same obfuscation technique on a phishing website, they hypothesized that the method was not unique to ATMZOW, but that other hackers could be using the same obfuscator.
“However, further analysis of the group's recent activity showed additional evidence that attacks involving the JS sniffer and the phishing campaign were conducted by the same group,” said Okorokov.
More specifically, while analyzing Prometheus TDS, Group-IB noticed several cases when phishing pages targeting clients of the same bank were used as a final redirect after downloading the malicious payload distributed by Prometheus TDS.
“In all cases, the malicious payload was Microsoft Office documents with a macro that dropped Hancitor malware,” Okorokov explained.
Group-IB has also posted a number of indicators of compromise (IOCs) connected to the attacks, including a list of phishing websites with ATMZOW-like obfuscation.
“Based on the same JS obfuscation technique and the connection between the domain names used for the JS sniffer and the phishing domains (the same email address), we can conclude with a high degree of reliability that both campaigns were conducted by the same threat group,” Okorokov added.
Prior to the latest Group-IB, a TA using ATMZOW was at the center of a cyber-attack against a website set up to accept donations for victims of the Australian bushfires in January 2020.
More recently, Hancitor malware was used as part of Cuba ransomware campaigns.