In mid-May 2018, the Expert Security Center (ESC) at Positive Technologies detected a phishing campaign directed at the financial sector. A number of signs suggest that the Cobalt group or its past participants continue to operate.[1]
The first investigation of Cobalt was performed by Positive Technologies in 2016: in a single night, the group stole the equivalent of over $32,000 (in local currency) from six ATMs belonging to a single bank. Cobalt had focused on the CIS, Eastern Europe, and Southeast Asia, but in 2017 the group added targets in new regions, including North and South America, as well as Europe. Approximately three quarters of the group’s phishing targets have been companies in the financial sector. Based on Positive Technologies’ estimates, in the first six months of 2017 Cobalt sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries.
Andrew Bershadsky, Positive Technologies CTO, said: “Cobalt relies on social engineering for the first stage of attacks, and for good reason: almost 30 percent of recipients click links in phishing messages, as our statistics show. What can companies do? Above all, regularly hold awareness training for employees. Install security updates and keep software versions current. Use capable protection systems and investigate incidents when they occur.”
Cobalt employs a number of techniques to evade user scrutiny and spam filters. The group hacks weakly protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser. During the final stage of the attack, money mules collect cash from the hacked ATMs.
Many technical aspects of the May 2018 phishing campaign closely resemble previous attacks by the Cobalt group, including the in-message links for downloading a malicious document. The structure of the domain used to send the messages resembles that used previously against banks in Russia and Eastern Europe. The malicious document is structured much like documents generated with the Threadkit exploit kit, which had been used by Cobalt since February 2018. The May attack used the same method for delivering the dropper to download a backdoor to the target computer, as well as the same decryption method.
The backdoor even contains the same functions as before: performing reconnaissance, running programs, downloading new modules, updating itself, removing itself, searching for installed antivirus software, and encrypting traffic. Although PT ESC specialists did not detect use of the Cobalt Strike tool which gave the group its name, the techniques and tactics are strongly suggestive of the group’s previous attacks.
In 2017, Positive Technologies performed an investigation of Cobalt-related attacks at a number of companies. Measures taken during incident response resulted in detection and elimination of malicious activity on network infrastructure, and also allowed preventing re-compromise (which the Cobalt group attempted after losing control) and theft of funds.
[1] In March 2018, the accused ringleader of the Cobalt group was arrested in Europe.
