UltraRank:
The unexpected twist of a JS-sniffer triple threat
New stage in JS-sniffers research. From analyzing malware families to identifying threat actors

In this report
For five years, the cybercriminal group UltraRank has conducted campaigns using JS-sniffers, improved their infrastructure, created monetization instruments, and modified malicious code.
The group’s arsenal includes both standalone attacks and attacks on third-party suppliers. UltraRank has also hijacked tools created by its competitors and confronted hackers who imitated a cardshop associated with the group.
Given that investigators have attributed many of UltraRank’s attacks to other threat actors, the group has managed to stay unnoticed for the most part.
At the moment the group remains active, with their latest infections being detected in June 2020.
13 third-party suppliers
for websites were attacked by UltraRank. Total number of infected sites may reach 100K
is the daily estimated income of a cardshop connected with the group’s infrastructure
led by UltraRank were previously attributed to other groups by researchers
During its activity, UltraRank has built an autonomous business model with a unique technical and organizational structure, as well as its own sales and monetization system for stolen bank card data.
The group is not an ordinary player in this criminal market, which is also proven by their methods of competitive struggle: Group-IB experts recorded UltraRank’s attacks on competing groups, as well as on phishing pages imitating cardshop associated with cybercriminals.
Download to learn:
Evolution of UltraRank’s TTPs, differences between campaigns, major changes to JS sniffers
UltraRank’s standalone and supply chain attacks, and its confrontations with competitors
Understanding the threat and following a set of rules can secure your business from similar attacks
Download report: "UltraRank: The unexpected twist of a JS-sniffer triple threat"

How Group-IB can protect your website from JS-Sniffers
The use of certain products and services could help minimize risks and implement adequate and timely measures if an infection occurs:
Group-IB research on targeted attack groups

Hi-Tech Crime Trends 2020/2021

RedCurl: The pentest
you didn’t know about

Online Piracy Research:
Jolly Roger’s patrons
of online pirates in developing countries.

Fxmsp: “The invisible god of networks”

Hi-Tech Crime Trends 2019/20

Attacks by Silence

Hi-Tech Crime Trends 2018

Crime without punishment: in-depth analysis of JS-sniffers

2018 Cryptocurrency Exchanges

Cobalt: their evolution and joint operations

Hi-Tech Crime Trends 2017

Lazarus Arisen: Architecture, Techniques and Attribution

Hi-Tech Crime Trends 2016

MoneyTaker

Buhtrap

Analysis of attacks against trading and bank card system

Anunak: APT against financial institutions

Hi-Tech Crime Trends 2020/2021

RedCurl: The pentest
you didn’t know about

Online Piracy Research:
Jolly Roger’s patrons
of online pirates in developing countries.

Fxmsp: “The invisible god of networks”

Hi-Tech Crime Trends 2019/20

Attacks by Silence

Hi-Tech Crime Trends 2018

Crime without punishment: in-depth analysis of JS-sniffers

2018 Cryptocurrency Exchanges

Cobalt: their evolution and joint operations

Hi-Tech Crime Trends 2017

Lazarus Arisen: Architecture, Techniques and Attribution

Hi-Tech Crime Trends 2016

MoneyTaker

Buhtrap

Analysis of attacks against trading and bank card system
