• Multiple campaigns have been identified targeting financial institutions across the globe.
  • The cybercriminals behind the new campaigns claim not to be part of the Cobalt Group but the campaigns’ TTPs are similar to those previously used by the Cobalt Group.

Multiple new campaigns targeting global financial institutions and businesses have been detected by security researchers. The campaigns are believed to be the work of one or two threat actor groups, one of which is suspected to the infamous Cobalt Group.

Although the alleged leader of the Cobalt Group was arrested in Spain earlier this year, several security researchers have attributed new email phishing campaigns to the Cobalt Group, indicating that the cybercriminals may still be active. The campaigns were found distributing malware to victims in various financial organizations.

Security researchers at Cisco Talos, who discovered the new phishing campaigns, said that the tactics, techniques and procedures (TTPs) are similar to those of the Cobalt Gang. The researchers also believe that the group’s attacks have become more sophisticated.

“Simple campaigns typically use a single technique and often embed the final executable payload into the exploit document,” Cisco Talos researchers wrote in a blog. “However, more complex campaigns require meticulous planning on the part of the attacker and include more sophisticated techniques to hide the presence of the malicious code, evade operating system protection mechanisms and eventually deliver the final payload, likely to be present only in the memory of the infected computer and not as a file on the disk.”

Three campaigns

Security researchers uncovered three campaigns between mid-May and early July. All of the campaigns began with a phishing email that contained either a malicious document or a URL.

In the first campaign, the phishing email purported to be from the European Banking Federation and contained a malicious PDF file. This malicious file lures victims into downloading a weaponized RTF file that contains three exploits. The attackers drop a JScript backdoor called More_eggs which allows the attackers to gain remote control of the targeted system.

“The functionality of the backdoor is somewhat typical for that type of malware and allows the attacker to control the infected machine over an HTTPS-based C2 protocol. The backdoor has its initial gate that it connects to on a regular basis to check for the next commands submitted by the attacker,” Cisco Talos researchers said.

The second campaign began on June 19 and shared threat intelligence information. In this case, the phishing email sent contained a malicious URL which redirects the victim to a malicious Word doc, which in turn, triggered the infection chain. The targeted organization is a major ATM and payment systems manufacturer.

The third campaign, which began on July 10, saw the hackers target various businesses. The phishing email sent in this contained a malicious RTF file packed with exploits that triggered the infection chain.

Modus operandi

The cybercriminals behind these phishing campaigns used an open-source exploit kit called Threadkit. This exploit kit has previously been used by cybercriminals delivering various malware including Trickbot, Lokibot and SmokeLoader.

“The actors behind the attacks seem to be using a somewhat modified version of the exploit kit, which relies on launching code through known mechanisms for evading Windows AppLocker protection feature and leveraging legitimate Microsoft applications such as cmstp, regsvr32 or msxsl,” Cisco Talos researchers added.

Windows AppLocker can allow administrators the ability to control which executable files are either authorized to execute or denied. In order to bypass AppLocker and its security defensive features, the attackers infect it with a malicious code.

Attribution is always tricky

According to Cisco Talos researchers, the multiple campaigns they observed over the past two months are consistent with the prior activities of the Cobalt Group. However, some of the payloads used by the cybercriminals behind the new attacks contained a message for security researchers, which reads: “ "We are not cobalt gang, stop associating us with such skids!"

The message hints at the possibility that the attacks may be the work of a different group making use of the Cobalt Group’s TTPs. However, the message could also be an attempt to deceive security experts about the real identity of the attackers.

“Although the attacks are conducted using readily made tools, the attackers show a high level of technical knowledge judging by their ability to combine those tools into a number of successful campaigns delivering different payloads to gain an initial foothold into their targets and provide attackers with a platform for further attack stages to reach their ultimate goal, which is likely a financial gain,” Cisco Talos researchers said.

Cyware Publisher