Contents
General description
The Cobalt cybercrime group has been active since 2016 and it attacks lending and finance organizations in its pursuit of stealing money by breaking into ATMs, card processing and various payment systems (such as SWIFT and the Automated Workstation Client of the Russian Central Bank (AWS-CBR)). It is assumed that several group members were once part of the Carbanak group that existed previously. According to FinCERT, in 2017, losses from Cobalt attacks in Russia exceeded RUB 1 billion. The group continued its activity even after the arrest of one of the group’s leaders in 2018. One of the largest scale hacks in which the group was involved targeted the Unistream fast payments system.
Tools
- Cobalt Strike
- CobInt
- CoolPants
- ComDll dropper
- JS-backdoor(more_eggs)
Target sectors
- The finance sector
Target countries
- North America
- Europe
- Central Asia
- Southeast Asia
Objectives
- Cash theft
Alternative group names
- Cobalt Gang
- Cobalt Spider
Reports by Positive Technologies and other researchers
- https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf
- https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf
- https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html
- https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint
- https://blog.morphisec.com/cobalt-gang-2.0
- https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/
- https://www.group-ib.ru/resources/threat-research/cobalt.html
- https://www.group-ib.com/blog/renaissance
MITRE ATT&CK techniques, used by the group
Technique ID | Technique name | Description |
---|---|---|
Initial Access | ||
T1566.001 | Phishing: Spearphishing Attachment | Cobalt sent emails with malicious attachments in DOC, XLS, RTF, PDF, LNK, CHM, or ZIP formats. |
T1566.002 | Phishing: Spearphishing Link | Cobalt sent emails with malicious links. |
Execution | ||
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Cobalt used cmd.exe via JavaScript backdoor. |
T1559.002 | Inter-Process Communication: Dynamic Data Exchange | Cobalt sent documents with malicious OLE objects. |
T1203 | Exploitation for Client Execution | Cobalt used the following vulnerabilities in attacks:
|
T1059.001 | Command and Scripting Interpreter: PowerShell | Cobalt used Powershell in attacks. |
T1059.003 | Command and Scripting Interpreter: Windows Command Shell | Cobalt used the Windows command-line interface in attacks. |
T1059.005 | Command and Scripting Interpreter: Visual Basic | Cobalt used documents with VBA macros. |
T1059.007 | Command and Scripting Interpreter: JavaScript/JScript | Cobalt used JScript in attacks. |
T1204.001 | User Execution: Malicious Link | Cobalt tried to trick users into following a malicious link in a phishing email to load a malicious file. |
T1204.002 | User Execution: Malicious File | Cobalt tried to trick users into running a malicious link from a phishing email. |
Persistence | ||
T1037.001 | Boot or Logon Initialization Scripts: Logon Script (Windows) | Cobalt gained persistence in the system via UserInitMprLogonScript. |
T1543.003 | Create or Modify System Process: Windows Service | Cobalt gained persistence in the system via services. |
T1547.001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | Cobalt gained persistence in the system via registry or the STARTUP folder. |
T1053.005 | Scheduled Task/Job: Scheduled Task | Cobalt gained persistence in the system via scheduled tasks. |
Privilege Escalation | ||
T1068 | Exploitation for Privilege Escalation | Cobalt used exploits to escalate privileges in infected systems. |
Defense Evasion | ||
T1548.002 | Abuse Elevation Control Mechanism: Bypass User Access Control | Cobalt bypassed UAC. |
T1027 | Obfuscated Files or Information | Cobalt obfuscated malware code. |
T1055 | Process Injection | Cobalt injected malicious code into trusted system processes. |
T1218.003 | Signed Binary Proxy Execution: CMSTP | Cobalt used cmstp.exe to bypass AppLocker. |
T1070.004 | Indicator Removal on Host: File Deletion | Cobalt removed its droppers from infected computers to hide traces. |
T1218.008 | Signed Binary Proxy Execution: Odbcconf | Cobalt used the signed odbcconf.exe utility to execute malicious DLL files. |
T1218.010 | Signed Binary Proxy Execution: Regsvr32 | Cobalt used regsvr32.exe to run malicious scripts. |
T1218.011 | Signed Binary Proxy Execution: Rundll32 | Cobalt used rundll32.exe to run malware. |
T1220 | XSL Script Processing | Cobalt used msxsl.exe to run malicious JavaScript code from XSL file. |
T1112 | Modify Registry | Cobalt modified values of some registry keys. |
Discovery | ||
T1046 | Network Service Scanning | Cobalt used open-source utilities for network reconnaissance. |
T1518.001 | Software Discovery: Security Software Discovery | Cobalt used the JavaScript backdoor to collect information about antivirus tools installed on the system. |
Lateral Movement | ||
T1021.001 | Remote Services: Remote Desktop Protocol | Cobalt used RDP to develop attack inside the network. |
Command And Control | ||
T1105 | Ingress Tool Transfer | Cobalt uploaded additional files to the infected computer. |
T1219 | Remote Access Tools | Cobalt used the TeamViewer and Ammyy Admin remote administration utilities for attacks. |
T1105 | Remote File Copy | Cobalt used public websites as C2 servers to load intermediate malware. |
T1071.001 | Application Layer Protocol: Web Protocols | Cobalt used HTTP and HTTPS protocols. |