Go to listing page

Cobalt Gang APT group deploying SpicyOmelette malware to banks in new campaign

Cobalt Gang APT group deploying SpicyOmelette malware to banks in new campaign
  • SpicyOmelette is a JavaScript RAT and comes packed with multiple detection-evading features.
  • SpicyOmelette is capable of stealing system information, checking for antivirus tools and installing additional malware into the system.

The sophisticated APT group known as the Cobalt Gang - aka Gold Kingswood - is back in action. The hacker group was found using a new remote access tool (RAT) called SpicyOmelette to target banks across the globe.

The malware is a JavaScript RAT and comes packed with multiple detection-evading features. SpicyOmelette is also capable of stealing system information, checking for antivirus tools and installing additional malware into the system.

Cobalt Gang - A brief history

The Cobalt Gang has been active since at least 2016 and has successfully targeted financial organizations across the globe over the past few years. Security experts estimate that as of March 2018, the hacker group’s global operations has helped them steal around $1.2 billion.

“The group uses targeted network intrusion tactics to locate, access, and abuse systems that can be monetized,” security researchers at SecureWorks, who uncovered the new campaign, wrote in a report. “GOLD KINGSWOOD's tactics, techniques, and procedures (TTPs) are similar to attributes of traditional government-sponsored or espionage-driven threat actors.”

Cobalt Gang has previously conducted attacks against banks like the First Commercial Bank (FCB) of Taiwan. The group used a custom malware, specifically designed to exploit the ATM hardware. The hacker group also used money mules to steal from ATM machines.

SpicyOmelette malware

The Cobalt Group’s new malware is used as part of the initial intrusion stage in an attack. SpicyOmelette is usually delivered via phishing emails that contain a malicious link that appears to be PDF document.

When clicked, the malicious link redirects the victim to Cobalt Gang-contolled Amazon Web Service (AWS) URL. This link installs the SpicyOmelette malware onto the victim’s system.

“The access provided by SpicyOmelette and other post-compromise tools regularly used by GOLD KINGSWOOD helps the threat actors escalate privileges on a system by stealing account credentials, survey and evaluate the compromised environment, identify desirable systems (e.g., payment systems, payment gateways, ATM systems), and deploy malware specifically designed to target those systems,” SecureWorks researchers said.

In March 2018, some members of the Cobalt Gang were arrested by law enforcement authorities. However, the cybercrime group’s new campaigns indicate that the arrests have had no impact on slowing down Cobalt Gang’s operations.

“GOLD KINGSWOOD's operations and toolset to continue to evolve, and financial organizations of all sizes and geographies could be exposed to threats from this group,” SecureWorks researchers added. “The threat group's detailed understanding of financial systems and history of successful campaigns make it a formidable threat.”

Cyware Publisher

Publisher

Cyware