The prolific Cobalt Group was found using a new multi-stage malware downloader in its most recent campaign, which began in early May. The Cobalt Group has been sending phishing emails purporting to be from Russian banks, containing malicious links that redirect victims to Cobint.
The malware downloader is written in C. Cobint can be broken up into three stages: an initial downloader, the main payload, and the downloader that drops additional modules. The first stage acts as a basic downloader, the primary purpose of which is to download the main Cobint component.
Cobin’s main component downloads and executes various modules from its C2 server. Researchers at Proofpoint, who tracked the Cobalt Group’s recent campaign, said that they observed two Cobint modules sent by the C2 - one which takes screenshots and sends it to the C2, and another that sends a list of running process names to the C2.
According to the researchers Cobint serves as additional evidence of the fact that sophisticated threat groups, such as the TA505 group and the Cobalt Group, are now increasingly making use of stealthy malware downloaders for the initial infection process. Modular downloaders like Cobint allow attackers the ability to determine whether a system is of interest, and then install additional malware.
“As defenses improve across the board, threat actors must innovate to improve the returns on their investments in malware and infection vectors, making this approach consistent with the “follow the money” theme we have associated with a range of financially motivated campaigns over the years,” Proofpoint researchers said in a blog. “This appears to be the latest trend as threat actors look to increase their effectiveness and differentiate final payloads based on user profiles.