In August 2020, Group-IB published the report "UltraRank: the unexpected twist of a JS-sniffer triple threat"
. The report described the operations of the cybercriminal group UltraRank
, which in five years of activity had successfully attacked 691 eCommerce stores and 13 website service providers.
In November 2020, Group-IB experts discovered a new wave of UltraRank attacks
. Even though new attacks were detected at the time, part of the group's infrastructure remained active and some sites were still infected. The cybercriminals did not use existing domains for new attacks but switched to a new infrastructure to store malicious code and collect intercepted payment data.
As part of UltraRank's new campaign, Group-IB Threat Intelligence and Attribution
This time the JS sniffer's code was obfuscated using Radix
obfuscation. This obfuscation pattern had been used by only a few cybercriminal groups, one of which was the UltraRank group (Figure 1). After deobfuscating the code, Group-IB found that the attacks used a sniffer from the SnifLite family
, already known to Group-IB experts and used by the threat actor UltraRank. Due to the relatively small number of infected websites, the attackers most likely used the credentials in the CMS administrative panel, which, in turn, could have been compromised using malware or as a result of brute force attacks.
During their most recent series of attacks UltraRank stored their malicious code on the website mimicking a legitimate Google Tag Manager domain. The analysis of the threat actor's infrastructure revealed that the main server was hosted by Media Land LLC, which is connected with a bullet-proof hosting company.
This blog post examines UltraRank's new campaign, provides recommendations to banks, payment systems, and online merchants. You'll also find indicators of compromise, attackers' TTPs and relevant mitigation and defense techniques in accordance with MITRE ATT&CK and MITRE Shield that we recommend to use to protect against UltraRank.