What Is It?
Researchers at Arbor Networks ASERT team recently observed by the Cobalt group attempting to use spear phishing emails containing multiple malicious links in order to compromise Russian and Romanian banks.
The recent attack shows the resilience of Cobalt after successes by law enforcement against high ranking members of the group. In March 2018, Spanish authorities arrested the alleged leader, a Ukrainian whose name was not released. In August 2018, the US Department of Justice advised that it had taken three high ranking members, also Ukrainians, into custody in relation to the theft of payment card numbers from U.S. companies.
Considered to be the most financially successfully attacker group, Cobalt, who are also known variously as Carbanak, FIN7 and TEMP.Metastrike have, according to Europol, stolen more than one billion Euros (approximately $US1.2 billion) from 100 banks in 40 mainly European countries across a five year timespan. The group is also responsible for the theft of over 15 million payment card numbers from more than 6,000 point-of-sale (POS) systems in the U.S., including well known restaurant chains as Arby’s, Chili’s, Chipotle and Red Robin. Those card numbers were then sold for profit on the dark web.
In this case, the spear phishing emails are written as though they have originated from Interkassa, a legitimate European intra-bank payment processor. The Cobalt group has taken the uncommon, but not unheard of, tactic of placing two attack vectors in each email. Those emails contain a link that appears to be to a JPEG image file (but is actually a malicious executable) and a Microsoft Word document attachment. The Word document contains a malicious macro which then downloads another malicious executable. Both malicious executables contact different command and control (C2) servers.
The Cobalt group’s success demonstrates it is both very experienced and adept at social engineering. As always, it is necessary for the user to enable macros in Word for the malicious macros to execute, the email and Word document need to be crafted in a way to convince users to allow the malicious code to execute. Often, even after realizing that they have been successfully social engineered and potentially been compromised, users are reluctant to report it, due to embarrassment or other concerns, a fact that groups such Cobalt exploit for profit.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate. These attacks utilize spear phishing and social engineering in order to compromise organizations with malicious documents and links.
When/How Did BluVector Detect It?
Ten samples consisting of malicious documents and malicious executables used in this campaign are publicly available and BluVector’s patented Machine Learning Engine (MLE) detected them all. Regression testing has shown the samples would have been detected an average of 33 months prior to their release.