Cobalt gang found using new version of Threadkit exploit kit dubbed Cobint

• Despite the arrest of a leading Cobalt member in March 2018, the hacker group continues to remain active and update its malware.
• The group has deployed a new version of the Threadkit malware, a macro delivery framework, used previously in 2017 financial sector attacks.

In 2016, several Eastern European banks were targeted by hackers who compromised ATMs, using exploits sent as attachments in emails to bank employees. The group responsible for the attack was named Cobalt. Since the attacks, the Cobalt group has become infamous for numerous attacks against global financial organizations. The group also extended its operations from Eastern Europe to targeting Western Europe, North America, and South America.

According to some estimates, the group has embezzled up to $1.2 billion dollars from attacks spread across 40 countries. The international law enforcement agencies were hot on their trails and the group’s alleged leader was finally arrested by EUROPOL in March 2018. The group’s activities were expected to die down after the arrest. However, the group has remained active although, with somewhat less intensity than before.

A resilient threat actor

Since the arrest, Positive Technology has monitored the group’s activity and found the group’s role in a spear-phishing campaign targeting the financial sector in May 2018. According to a report by Fidelis, the group started targeting supply chain companies, financial exchanges, investment funds, and lenders in North America, Western Europe, and South America in 2017.

The group used several tools in 2017 including PetrWrap, more_eggs, CobInt and ThreadKit.

“In October 2018, [we] identified a new version of ThreadKit. As per Cobalt Group’s typical methods, the malware was delivered via phishing email, containing an RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit first uncovered in October 2017...[This] new version of ThreadKit [utilizes] a macro delivery framework sold and used by numerous actors and groups,” Fidelis researchers said.

Updated Malware

Fidelis pointed out that there was “a slight evolution” in Threadkit’s obfuscation technique, making it harder to detect. CobInt, which is the payload of Threadkit, now has an added layer of obfuscation using a XOR routine for decoding the initial payload, making it harder to analyze and detect. It makes use of the XOR cipher, an encryption algorithm, which works by applying and reapplying the XOR function for encryption and decryption.

The decrypted payload is the CobInt DLL, which keeps beaconing to its command and control (C2) server until it receives commands and modules to execute, as per Fidelis’ report.

Fidelis and other researchers say the arrest of Cobalt group members have only temporarily slowed Carbanak/Cobalt threat actors. Kaspersky Lab, in a recent report, noted that the arrests have only further motivated the members and possibly split the group into smaller cells.