Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

UltraRank: The Unexpected Twist of a JS-Sniffer Triple Threat
← Research Hub

UltraRank: The Unexpected Twist of a JS-Sniffer Triple Threat

New stage in JS-sniffers research. From analyzing malware families to identifying threat actors
Download report

In this report

For five years, the cybercriminal group UltraRank has conducted campaigns using JS-sniffers, improved their infrastructure, created monetization instruments, and modified malicious code.

The group’s arsenal includes both standalone attacks and attacks on third-party suppliers. UltraRank has also hijacked tools created by its competitors and confronted hackers who imitated a cardshop associated with the group.

Given that investigators have attributed many of UltraRank’s attacks to other threat actors, the group has managed to stay unnoticed for the most part.

At the moment the group remains active, with their latest infections being detected in June 2020.

691 online stores and 13 third-party suppliers691 online stores and 13 third-party suppliers

for websites were attacked by UltraRank. Total number of infected sites may reach 100K

$5,000-7,000$5,000-7,000

is the daily estimated income of a cardshop connected with the group’s infrastructure

At least 3 campaignsAt least 3 campaigns

led by UltraRank were previously attributed to other groups by researchers
During its activity, UltraRank has built an autonomous business model with a unique technical and organizational structure, as well as its own sales and monetization system for stolen bank card data. The group is not an ordinary player in this criminal market, which is also proven by their methods of competitive struggle: Group-IB experts recorded UltraRank’s attacks on competing groups, as well as on phishing pages imitating cardshop associated with cybercriminals.
Excerpt from the report

Download to learn:

Threat evolution

Evolution of UltraRank’s TTPs, differences between campaigns, major changes to JS sniffers

Group’s actions

UltraRank’s standalone and supply chain attacks, and its confrontations with competitors

Recommendations

Understanding the threat and following a set of rules can secure your business from similar attacks

How Group-IB can protect your website from JS-Sniffers

The use of certain products and services could help minimize risks and implement adequate and timely measures if an infection occurs:
Threat Intelligence
Threat Intelligence
Managed XDR
Managed XDR

Relevant reports

We see the full picture of the evolving cyber threat landscape thanks to unique tools for monitoring the infrastructure used by cybercriminals and data from battlefields:

OldGremlin Ransomware: Never Ever Feed Them after The Locknight
Threat Research
OldGremlin Ransomware: Never Ever Feed Them after The Locknight
The case of OldGremlin illustrates how the ransomware industry has evolved in recent years....
Learn moreDownload report
Ransomware Uncovered 2021/2022
Threat Research
Ransomware Uncovered 2021/2022
The well-known complete guide to the latest tactics, techniques, and procedures of ransomware operators...
Learn moreDownload report
RedCurl: The Awakening
Threat Research
RedCurl: The Awakening
Commercial cyber espionage remains a rare and largely unique phenomenon. We cannot rule out,...
Learn moreDownload report