Cobalt crime gang is using again CobInt malware in attacks on former soviet states

Pierluigi Paganini September 13, 2018

The Russian Cobalt crime gang was particularly active in the last month, a new report confirms a massive use of the CobInt malware in recent attacks.

Security researchers from Proofpoint reported the massive use of the CobInt malware by the Cobalt group in recent attacks. The Cobalt name is based on the association of the malware with the “Cobalt Group” and an internal DLL name of “int.dll” used in some of the samples detected by the experts.

On August 13, 2018, security experts from Netscout’s ASERT, uncovered a new campaign carried out by the Cobalt crime gang. The hackers targeted also the NS Bank in Russia and Carpatica/Patria in Romania.

Cobalt crime gang has been active since at least 2016, it targeted banks worldwide, the group leveraged spear-phishing emails to compromise target systems, spoofed emails from financial institutions or a financial supplier/partner.

The attackers exploited several vulnerabilities in Microsoft Office, including CVE-2017-8570CVE-2017-11882, and CVE-2018-0802.

The group also targeted entities in other sectors, including Government agencies, Telco, Internet service providers, manufacturing, entertainment, and companies in the healthcare industry.

Early this year the hacker group used the malware as a first-stage downloader, but in later attacks, the crew did not use it anymore. CobInt is a multi-stage CobInt malware dropped by the group via malicious Office documents that were created using the ThreadKit builder kit.

The Cobalt crime gang used again the CobInt backdoor in many attacks since July, including the attacks aimed at the Russian and Romanian banks.

In August, Proofpoint experts observed at least four campaigns of the group leveraging the CobInt malware.

“We have also observed an actor commonly known as Cobalt Gang (or Group) using another new downloader that shares many of these characteristics since early 2018. Group-IB named this malware “CobInt” and released a report on its use by Cobalt Gang in May [3]. While we noticed that Cobalt Gang appeared to stop using CobInt as a first-stage downloader around the time researchers at Group-IB published their findings, they have since returned to using the downloader as of July.” reads the analysis published by Proofpoint.

Below the list of the attacks carried out by the Cobalt crime gang in the last weeks:

Date Description CVV
August 2, 2018 Attacker used messages with the subject “Подозрение на мошенничество” (Translated from Russian: “Suspicion of fraud”) purporting to be from “Interkassa” using a sender email address with a lookalike domain “denis[@]inter-kassa[.]com”.
August 14, 2018, Attackers used messages spoofing the Single Euro Payments Area (SEPA) with lookalike sender domains sepa-europa[.]com or sepa-europa[.]info and subjects such as “notification”, “letter”, “message”, and “notice”. The messages (Figure 1) contained: CVE-2017-8570, CVE-2017-11882, or CVE-2018-0802
August 16, 2018, Attackers used messages purporting to be from Alfa Bank using a lookalike domain aifabank[.]com and subjects such as “Fraud Control”, “Фрауд” (Translates to “Fraud”), “Предотвращение хищения” (Translates to “Prevention of theft“), and “Блокирование транзакций” (Translates to “Transaction Blocking”). CVE-2017-8570, CVE-2017-11882, or CVE-2018-0802
September 4, 2018 Attackers used messages purporting to be from Raiffeisen Bank using lookalike sender domains ralffeisen[.]com and subjects such as “Fraudulent transaction”, “Wire Transfer Fraud”, and “Request for data”. CVE-2018-8174


Cobalt crime Gang.png

Malware analysis reveals that the CobInt is a downloader written in C that can be broken up into three stages: an initial downloader for the core component, the core component, and several additional modules.

The first stage downloader disguises its activity by the use of Windows API function hashing and downloads the second stage via HTTPS.

The main component downloads and executes various modules from its C&C. C&C hosts are stored in a 64-byte chunk of encrypted data that can be decrypted by XORing with a 64-byte XOR key.

The malware supports the following commands:

  • load/execute module;
  • stop polling C&C;
  • execute function set by module;
  • update C&C polling wait time.

These, Proofpoint notes, are reconnaissance steps that the attackers are likely to follow with the deployment of additional modules to the compromised systems of interest.

“CobInt provides additional evidence that threat actors — from newer players we featured in our AdvisorsBot blog to established actors like TA505 and Cobalt Group– are increasingly looking to stealthy downloaders to initially infect systems and then only install additional malware on systems of interest.” Proofpoint concludes.

“As defenses improve across the board, threat actors must innovate to improve the returns on their investments in malware and infection vectors, making this approach consistent with the “follow the money” theme we have associated with a range of financially motivated campaigns over the years. This appears to be the latest trend as threat actors look to increase their effectiveness and differentiate final payloads based on user profiles” 

Further details, including IoCs are reported in the analysis published by Proofpoint.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – Cobalt crime gang, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment