Cobalt Group: The 101

Tuesday, December 11, 2018
Cobalt 101

The Fidelis Threat Research analysts have discovered a new version of ThreadKit, malware notorious for its use by the cybercrime organization known as Cobalt Group. This blog post is going to provide some insight into the group. If you want to dive straight into the detail of Fidelis research, check out the full Threat Report here.

Background:

Known for their sophisticated attacks targeting financial organizations, Cobalt Group first appeared in 2016 when they targeted banks in Eastern Europe. They used phishing emails that contained what looked like a .PDF attachment containing exploits, which when executed, allowed the group to compromise servers that controlled ATMs. The result – they were able to steal $32,000 overnight from six ATMs in Eastern Europe.

This was just the tip of the iceberg and the group has since built a reputation for their highly targeted, network intrusion methods. They expanded their geographical target area out of Eastern Europe, to include North America, South America and Western Europe as well as expanded their targets from banks, to also include supply chain companies, financial exchanges, investment funds, and lenders. Some estimates suggest that the group has stolen as much as the equivalent of $1.2 billion from banks from across 40 different countries. The group gathered momentum up until March 2018 when the alleged leader of the gang was arrested by Interpol. Since then, activity has slowed however various research efforts in addition to those revealed in our recent analysis, have demonstrated that the group is continuing to develop their tradecraft.

Toolkit:

Active campaigns generally use alexisMailer 2.0, also known as iPosylka to send spear phishing emails containing malware to gain a foothold within their victim’s organizations. The group do their homework, and often tailor the emails to look as though they have come from a financial partner. Tools used in 2017 included PetrWrap, more_eggs, CobInt, and ThreadKit.[8] 

Example of translated phishing email sent from Cobalt Group, sourced from IB Group: https://www.group-ib.com/blog/cobalt

2018 has seen continued activity with a campaign against financial services organizations in May, in addition to more recent activity, which is analyzed in Fidelis’s recent Threat Report using the CobaltGroup malware frameworks.

 

Fidelis Research:

In October 2018, Fidelis identified a new version of ThreadKit. As per Cobalt Group’s typical methods, the malware was delivered via phishing email, containing a RFT Microsoft Office attachment which contained an evolved version of the exploit builder kit first uncovered in October 2017.

Download the full Cobalt Group Threat Report to find out the results from our full technical analysis.

 

 

 

- Jason Reaves
Threat Research Principal Engineer I