The infamous financial cybercrime gang known as Cobalt Group has been spotted actively pushing a fresh campaign that uses a peculiar tactic: Double infection points and two command-and-control (C2) servers.
The Cobalt Group, a known financial cybercrime ring since 2016, has been suspected in attacks in dozens of countries around the world. It typically targets ATMs for jackpotting, and researchers believe the gang is also responsible for a series of attacks on the SWIFT banking system.
According to NETSCOUT/Arbor Networks ASERT team, the group, which is also affiliated with Carbanak, has lately been going after banks and other financial institutions in eastern Europe and Russia, with two main targets in the latest offensive: NS Bank in Russia and Banca Comercială Carpatica/Patria Bank in Romania.
The threat actors are using spear-phishing messages purporting to be from financial vendors or partners, which is a typical gambit; what’s not typical is that each phishing email actually contains two malicious URLs pointing to two different payloads, which are linked to two unique C2 servers believed to be owned and operated by the Cobalt Group.
“Most of the email content [none of which was flagged as malicious by VirusTotal] appears benign except for a link embedded in the message,” ASERT researchers noted, in research posted Thursday.
Binary Analysis
The first URL connects to a weaponized Word document containing obfuscated VBA scripts (as opposed to known CVEs); and the second is a backdoor binary called CobInt/COOLPANTS with a jpg extension.
“The document from the embedded URL renders a VBA-infested word document which continues the infection cycle once macros are enabled,” the researchers explained. “The VBA script pieces together a cmd.exe command that launches cmstp.exe with an INF file, allowing it to potentially by-pass AppLocker. The INF file then beacons [out] to download a remote payload that cmstp.exe will execute.”
That payload is an XML file, which in turn unpacks a JavaScript backdoor dropper, believed to be a stager for additional payloads. It’s known as “more_eggs,” which has been tied to the Cobalt Group in the past.
Meanwhile, the second URL appears to point to an image pertaining to be Single Euro Payments Area (SEPA) (hxxp://sepaeuropa[.]eu/transactions/id02082018.jpg), but it actually redirects to an executable, which eventually leads to the implantation of a reconnaissance backdoor that can also beacon to the C2 server for additional payloads or scripts.
“The sample is littered with junk code that spends CPU cycles before proceeding to deobfuscate itself,” the researchers explained. “The unpacking routine involves overwriting itself in memory with another executable. This overwritten binary loads a resource and jumps to the executable code contained in it.”
As seen in other Cobalt Group attacks, a BAT script runs that launches a standard Windows utility that allows bypassing AppLocker, as well as downloading and running SCT or COM objects using the standard Windows utility regsvr32.exe.
Cobalt Group Activity Continues
The deployment of the backdoors indicate that the attacker is seeking a foothold into the targeted organizations – although what their endgame is at this point is unclear.
“ATM attacks are more of a long game, as it takes time and effort to coordinate a large cash-out operation,” the ASERT team told Threatpost in an email interview. “The SWIFT attacks they used before were faster, and, based on research done by other security organizations, highly successful in that the average monetary gain per incident exceeded the $1.5 million mark. It may also be possible the attackers don’t really know how they would steal funds from the targeted organizations yet, and they are purely seeking a foothold in order to plan their next moves.”
They added, “Any foothold into a large financial institution is potentially lucrative to an attacker. Albeit, it may take many layers of escalation and pivoting laterally before they are able to hit sensitive systems and steal funds. However, once they are past the perimeter of a networks defense, this task becomes much easier for the attacker.”
The campaign targeting possible NS Bank employees was uncovered by ASERT researchers, while the campaign targeting Patria Bank was found by its threat-intelligence partner, Intel471.
“Fusing the findings from both parties, we determined that the campaigns were indeed linked through similarities in the malware payloads, including shared strings to the Program Database (PDB) where the malware was compiled,” the team told Threatpost. “Additional similarities between the binaries were identified in a side-by-side comparison.”
“Making use of separate infection points in one email with two separate C2s makes this email peculiar,” the researchers noted. “The most obvious benefit to this tactic is redundancy. If the targeted victim failed to click on one link, perhaps they’d click on the second.”
They added, “Although not something we’ve seen with this group previously, it isn’t uncommon for an attacker to employ multiple methods of compromise.”
As far as how the campaign fits into the evolution of the Cobalt Group in general, it’s further evidence that the gang has no intention of slowing down, despite the arrest of its ringleader in March.
“Although it’s not an obvious indication of increasing sophistication, we already know from previous activity that the group maintains a moderate-to-high level of sophistication, as evidenced by their successful attacks on ATM and SWIFT services,” the team told Threatpost.
It added that it believes that “Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia, based on the observables in this campaign and their normal modus operandi.”
