The tale of the prolific Cobalt threat group’s massive phishing campaigns against financial institutions

• The cybercriminal group ‘Cobalt’ has been named after its penetration testing tool ‘Cobalt Strike’.
• The threat group has targeted several banks and financial institutions across countries such as Armenia, Bulgaria, Belarus, Estonia, Georgia, Kyrgyzstan Moldova, the Netherlands, Poland, Romania, Russia, Spain, Britain, Malaysia, and more.

Cobalt group was first spotted in 2016. The cybercriminal group has been named after the penetration testing tool ‘Cobalt Strike’ used by them to move from infected computers in banks’ networks to specialized servers that control ATM machines.

The group was arrested in Spain in March 2018 for attacking almost 100 banks across 40 countries and stealing over 1 billion Euros. The malware and tools used by the threat group include Cobalt Strike, CobInt, SpicyOmlette, Threadkit exploit kit, and More_eggs.

Cobalt group’s attack against ATM machines

In November 2016, cybercriminals have raided ATM machines across Europe using the technique ‘Jackpotting’ that forces infected ATM machines to dispense cash by installing malware on the machine’s computer. The attack has affected Diebold Nixdorf and NCR Corp, two of the world’s largest ATM makers.

This attack has affected almost 14 countries including Armenia, Bulgaria, Belarus, Estonia, Georgia, Kyrgyzstan, Moldova, the Netherlands, Poland, Romania, Russia, Spain, Britain, and Malaysia. Researchers noted that this attack has been conducted by a threat actor group named Cobalt.

Cobalt targeted banks via a spear phishing campaign

In November 2017, the Cobalt group targeted banks via a spear phishing campaign. The phishing emails sent to targeted banks contained RTF attachments with an exploit for CVE-2017-8759. Once victims open and download the attachment, the malicious code downloads and executes the Cobalt Strike tool. The tool then connects to the Command and Control server operated by the Cobalt gang.

After the RCE vulnerability (CVE-2017-8759), the same month, the Cobalt group started targeting banks and financial institutions with phishing emails containing RTF attachments with an exploit for CVE-2017-11882.

Cobalt group revealed its targets - Intentionally or Accidentally?

In its spear phishing email campaign that targeted banks with phishing emails containing RTF attachments, the Cobalt group included the targets’ email address in the email’s ‘To:’ field, instead of including in the email's BCC field. By doing so, the group let researchers and other victims know the campaign’s targets. The group made this error accidentally or intentionally remains unknown.

Cobalt group arrested but resumes attacks against banks with Cobint malware

The Cobalt threat actor group was arrested in March 2018 in Spain for attacking 100 banks across 40 countries and stealing over 1 billion Euros. However, the Cobalt gang continued its attack against banks. This attack was observed in May 2018 and used ‘CobInt’ malware to target bank employees in Russia and the Commonwealth of Independent States via phishing emails.

The phishing emails purported to come from a “leading antivirus company” and stated that the bank’s systems were in violation of the law. The emails urged recipients to download the attachment and read the document. Upon opening the attachment, the ‘CobInt’ malware infected the bank’s computer system.

Three phishing campaigns in May-July 2018

In the first campaign, the phishing emails purported to be from the European Banking Federation contained a malicious PDF file. This malicious file persuades victims into downloading a weaponized RTF file that contains three exploits. The attackers dropped a JScript backdoor called More_eggs which allowed the attackers to gain remote control of the targeted system.

The second campaign started on June 19 with phishing emails containing a malicious URL. Upon clicking, the malicious URL redirected the victim to a malicious Word doc, which in turn, triggered the infection chain. The targeted organization in this campaign was a major ATM and payment systems manufacturer.

The third campaign, which began on July 10, saw the attackers targeting various businesses with phishing emails sent along with a malicious RTF file packed with exploits that triggered the infection chain.

Cobalt gang distributed SpicyOmelette malware

In September 2018, the Cobalt threat actor group used a new Remote Access Trojan (RAT) dubbed SpicyOmelette to target banks worldwide. This malware is a JavaScript RAT and comes packed with multiple detection-evading features. SpicyOmelette is also capable of stealing system information, checking for antivirus tools and installing additional malware into the system.

The Cobalt Group’s new malware ‘SpicyOmlette’ was used as part of the initial intrusion stage in an attack. The malware was delivered via phishing emails containing a malicious PDF document. Upon clicking the PDF doc, the malicious link redirected the victim to Amazon Web Service (AWS) URL which is controlled by the Cobalt group. This link installed and executed the SpicyOmelette malware onto the victim’s system.

Cobalt was spotted using an updated version of Threadkit exploit kit

In October 2018, researchers spotted Cobalt group leveraging a new version of the Threadkit malware, a macro delivery framework, which was previously used in its 2017 attacks.

The Threadkit malware was distributed via phishing emails containing an RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit. Researchers noted that CobInt, which is the payload of Threadkit, now has an added layer of obfuscation using an XOR routine for decoding the initial payload, making it complex to detect.