Researchers have claimed that attackers behind the ATMZOW campaign and Hancitor malware downloader are the same. To support the claim, a report has been provided disclosing multiple pieces of evidence.

A connection between two threats

Analysts from Group-IB claimed that ATMZOW successfully infected around 483 websites covering four continents from the start of 2019.
  • These attacks have used 7 unique domains linked with a previous phishing campaign.
  • The analyst collected details about ATMZOW’s recent activity and discovered ties with a phishing campaign aimed at clients of a U.S. bank on the basis of the JS obfuscation method.
  • In that phishing campaign, the malicious payload was Office docs with a macro dropping Hancitor. 
  • The obfuscator used in that campaign is believed to be the same as used in recent attacks.

Digging in

Further analysis of the ATMZOW group's activity has disclosed more evidence.
  • There were several cases in both campaigns when the victims (who were clients of the same bank) were redirected to the same phishing pages that were created using the same kit, but with slight modifications. 
  • This redirection happened after downloading the malicious payload distributed by the Prometheus TDS, an underground service that distributes malicious files and redirects visitors to phishing and malicious sites.
  • Group-IB posted a number of IOCs connected to the attacks, such as a list of phishing websites with ATMZOW-like obfuscation techniques, indicating that both phishing campaigns are possibly part of the same campaign.

Ending notes

The use of the same JS obfuscation method and similar domain names supports the argument that both campaigns of ATMZOW and Hancitor were conducted by the same group. The revelation indicates that the group members could be highly-skilled, and very much capable of using sophisticated tactics to carry out more successful attacks in near future.
Cyware Publisher