Security researchers at Group-IB have made a connection between the ATMZOW JS Sniffer campaign and the Hancitor malware downloader, claiming that the same malicious actors may be behind both threats. The connection was made earlier this week after analyzing roughly 483 websites spanning four continents that had been successfully infected by ATMZOW since 2019. Group-IB specialists analyzed recent activity and found ties with a phishing campaign that was targeting clients of a US based bank. According to researchers, the campaigns used the same JS obfuscation technique.
Group-IB first detected the technique on a phishing website. However, the method is likely not unique to ATMZOW and other hackers could be using the same obfuscator. Further analysis showed evidence that attacks involving the JS sniffer and the phishing campaign were the work of the same group, according to Group-IB. The team noticed several cases in which phishing pages targeted clients of the same bank and were leveraged as a final redirect after downloading the malicious payload. Group-IB has released a list of indicators of compromise connected to the attacks, as well as a list of phishing websites with the obfuscation.
Read More: ATMZOW JS Sniffer Campaign Linked to Hancitor Malware