Cobalt cybercrime gang targets Russian and Romanian banks

On August 13, ASERT observed the Cobalt crime gang actively pushing a new campaign aimed at institutions in eastern Europe and Russia.

Security experts from Netscout’s ASERT uncovered a new campaign carried out by the Cobalt cybercrime group.

The attacks were detected on August 13, 2018, experts revealed that the hackers targeted also the NS Bank in Russia and Carpatica/Patria in Romania.

Cobalt crime gang has been active since at least 2016, it targeted banks worldwide.

Cobalt hackers leverage spear-phishing emails to compromise target systems, messages spoof emails from financial institutions or a financial supplier/partner.

The new campaign discovered by Netscout’s ASERT researchers presents a novelty, One one of the phishing emails sent by Cobalt contains two separate malicious URLs. A weaponized Word document and a binary with a .jpg extension.

The experts also detected two malware samples used in the campaign, a JavaScript backdoor and another malicious code tracked as COOLPANTS, a reconnaissance backdoor associated with the group.

COOLPANTS borrows the code from the Coblnt backdoor, 28 of the 57 functions matched using Diaphora, a tool that compares binaries.

The backdoor connects to hxxps://apstore[.]info, a domain already identified by researchers from Proofpoint as a command and control for Cobalt malware.

2831589 - ETPRO TROJAN Cobalt Group Downloader (apstore .info in DNS Lookup) (trojan.rules)
2831590 - ETPRO TROJAN Cobalt Group Downloader (apstore .info in TLS SNI) (trojan.rules)

Experts form ASERT detected on 13 August 2018, a new sample of COOLPANTS compiled on 1 August 2018. This sample connects to rietumu[.]me as C2, the analysis of the domain allowed the discovery of the email address solisariana[@]protonmail[.]com associated with other five new domains all created on 1 August 2018 (compass[.]plus; eucentalbank[.]com; europecentalbank[.]com; inter-kassa[.]com; and unibank[.]credit).

The domains were clearly used to target the financial institutions.

“Hunting for samples associated with inter-kassa[.]com leads to a phishing email uploaded to VirusTotal, d3ac921038773c9b59fa6b229baa6469. At the time of analysis, VirusTotal scored the phishing email with a 0, indicating nothing malicious was identified by the anti-virus engines.” reads the report.

“Most of the email content appears benign except for a link embedded in the message. The name “Interkassa” appears to be a payment processing system which makes it a prime masquerading target for attackers as noted in the tactics employed by the Cobalt Group for this ongoing campaign.”

The experts analyzed used the inter-kassa domain to search for associated malicious campaigns. They found only a spear-phishing email dated 2 August 2018 addressed to ns-bank bank and sent by “Interkassa.” The mail pretends to be sent from Denys Kyrychenko, co-owner and CTO of Interkassa.

The phishing message includes two malicious links. one of them points to a weaponized Word document with an embedded VBA script. If the victim enables the macros, the script generates a cmd.exe command that launches cmstp.exe with an INF file. The INF file connects to the C2 to fetch a payload that is executed by cmstp.exe.

The attackers used a JavaScript backdoor, tracked as ‘more_eggs,’ that is identical to a backdoor discovered by last year Trend Micro and attributed to Cobalt cybercrime gang.

The backdoor supports the following commands that allow Cobalt to take over an infected system:

1. d&exec – Downloads and executes a PE file.
2. more_eggs – Downloads an update for itself.
3. gtfo – Delete itself and related registry entries.
4. more_onion – Executes the “new” copy of itself.
5. vai_x – Executes a command via cmd.

The second link in the spear-phishing email connects the C2 to download an executable rather than an image file. Unfortunately, at the time of analysis, the C2 was not responding.

ASERT discovered also another campaign allegedly linked with Cobalt group targeting Romanian carpatica[.]ro by masquerading as Single Euro Payments Area (SEPA).

“ASERT believes Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based on the observables in this campaign and their normal modus operandi.” concludes ASERT.

 “ASERT also recommends that employees are trained to spot phishing emails and, where possible, closely inspect emails for look-alike domains that might contain malicious attachments or links.”

Further details, including IoCs are reported in the analysis published by the researchers.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Cobalt, Cybercrime)

[adrotate banner=”5″]

[adrotate banner=”13″]