New Cobalt Campaign Targets Russian and Romanian Banks
31.8.2018 securityweek CyberCrime
A new campaign by the Russia-based Cobalt hacking group was observed on August 13, 2018. Cobalt is best-known for targeting financial institutions, and this campaign is no different. Two targets have been identified to date: NS Bank in Russia and Carpatica/Patria in Romania.
Cobalt has been operating since at least 2016. So far it is credited with the theft of $9.7 million from the Russian MetakkinvestBank; ATM thefts of $2.18 million from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan. Last year it was reported that Cobalt had expanded its range into also targeting government, telecom/Internet, service providers, manufacturing, entertainment, and healthcare organizations, often using government organizations and ministries as a stepping stone for other targets.
A common theme for Cobalt is to start with spear-phishing emails to gain the initial entry. In financial attacks, the emails usually masquerade as other financial institutions or a financial supplier/partner domain to gain the target's trust.
In an analysis of the new campaign, Netscout's ASERT researchers show numerous parallels with known Cobalt TTPs and tools -- but with one new divergence. One of the phishing emails it has discovered contains two separate malicious URLs. The first is a weaponized Word document, while the second is a binary with a .jpg extension.
The researchers had uncovered two malware samples that connect the new campaign to Cobalt. The first was a JavaScript backdoor that shares functionality with other backdoors. The second is COOLPANTS, a reconnaissance backdoor linked to Cobalt and originally found by researcher Szabolcs Schmidt. The new report notes that COOLPANTS appears to be an evolution of Coblnt -- 28 of its 57 functions match under comparison tool Diaphora. Furthermore, COOLPANTS connects to hxxps://apstore[.]info, which Proofpoint describes as a Cobalt C2.
On 13 August 2018, ASERT found a new sample almost identical to COOLPANTS. It was compiled at the same time on 1 August 2018. Its 48 functions match those in COOLPANTS under the 'Best Match' tab in Diaphora. This sample, however, has rietumu[.]me as its C2. Inspecting rietumu[.]me, ASERT found the email address, solisariana[@]protonmail[.]com. Pivoting from this address, it found five more new domains all created on 1 August 2018.
The domains are compass[.]plus; eucentalbank[.]com; europecentalbank[.]com; inter-kassa[.]com; and unibank[.]credit. Each one is clearly designed to masquerade as the domain of a financial services organization. The real Interkassa, for example -- and according to its genuine website -- is a payments processing firm based in Ukraine.
The researchers used the inter-kassa domain and searched for samples. They found a spear-phishing email that bears all the hallmarks of a Cobalt campaign, dated 2 August 2018. It is addressed to bulavina AT ns-bank DOT ru and sent by "Interkassa" <denis AT inter-kassa DOT com>. Interestingly, LinkedIn lists a Denys Kyrychenko as co-owner and CTO of Interkassa.
It is this email that provides two embedded malicious links. One calls a weaponized Word document with an embedded VBA script. If macros are allowed, the script generates a cmd.exe command that launches cmstp.exe with an INF file. The INF file beacons back to the C2 to download a payload that is executed by cmstp.exe.
The eventual JavaScript backdoor -- named 'more_eggs' -- is almost identical to the backdoor analyzed by Trend Micro this time last year and attributed to Cobalt. Both provide five commands that essentially allow attackers to take over an infected system.
These commands are d&exec (downloads and executes a PE file); more_eggs (downloads an update for itself); gtfo (deletes itself and related registry entries); more_onion (executes the 'new' copy of itself); and vai_x (executes a command via cmd). Only the last command differs between the two versions, with the earlier one having the name more_power for vai_x.
The second URL in the spear-phishing email, with a dot-jpg filename, downloads an executable rather than an image file. This also ultimately beacons to its C2 server, which was not -- at the time of analysis -- responding.
ASERT is confident that this, and another campaign discovered by Intel471 targeting Romanian carpatica[.]ro by masquerading as Single Euro Payments Area (SEPA), are both the work of the Cobalt group. Only the use of two separate infection points in one email with two separate C2s makes this campaign unusual. "One could speculate that this would increase the infection odds," comments the report -- for example, if Word macros are successfully disallowed by the target, he or she might still succumb to the disguised jpg.
"ASERT believes," says the report, "Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based on the observables in this campaign and their normal modus operandi." It is worth mentioning that Trend Micro has suggested that COBALT starts by targeting Russia and the old USSR states to test out its methodology before moving on to European and other targets.
ASERT is the threat intelligence team of Arbor Networks, which is the security division of NETSCOUT.