This article is more than 1 year old

Cobalt cybercrooks phry up phishing campaign to phling at phinance orgs

Emails hiding dodgy scripts designed to plant backdoors

A notorious hacking group suspected in attacks across dozens of countries has launched a campaign against banks in eastern Europe and Russia.

The so-called Cobalt Group is slinging spear-phishing emails in an attempt to get into the systems of targeted financial organisations. The emails are set up to look like they were sent by a firm or partner that would normally have dealings with the target orgs, increasing the likelihood of infection. The hacking group then uses tools that can bypass Windows defences to burrow deeper into compromised networks.

Security firm NETSCOUT said that recently intercepted phishing emails targeting NS Bank (Russia) and Banca Comercială Carpatica/Patria Bank (Romania) were sent by Cobalt Group. The attribution is based on analysis of the contents of these dodgy emails and the infrastructure of the online traps they attempt to trick the unwary into visiting.

These phishing emails contained two malicious URLs. The first linked to a booby-trapped Word document containing obfuscated VBA scripts. The second URL pointed to a malicious executable that poses as a benign .jpg picture file. Both vectors were ultimately geared towards planting backdoors.

The binaries analysed point back to two unique command-and-control servers, which NETSCOUT researchers reckon are owned and operated by the Cobalt hacking group, as explained in a blog post here.

Targeted phishing is common vector of initial compromise in attacks against banks, and is suspected in the recent $13.5m raid against Cosmos Bank in India, for example. The two-pronged phish associated with the latest east European bank targeting hacking operation is unusual, if not unprecedented.

Richard Hummel, ASERT threat research manager at NETSCOUT, said the use of two URLs in a phishing email is rare. "It's not something we typically see," he told El Reg. The two different URLs each went to different places and served different downloads.

Hackers may have done this in order to create redundancy, Hummel speculated, adding that their intentions in this department are unclear.

Cobalt Group (aka TEMP.Metastrike) has been active since at least late 2016, and has been implicated in attacks across dozens of countries. The group primarily targets financial organisations, often with the use of ATM malware. Security researchers believe it is responsible for a series of attacks on the SWIFT banking system, costing millions in damages to the affected financial institutions.

Europol recently arrested a suspect whom it claims is the leader of the gang.

Rustam Mirkasymov, head of dynamic analysis department at Moscow-based Group-IB, said the Cobalt hackers have been busy of late.

"In addition to these attacks, we have detected at least 17 campaigns since the beginning of this year, and at least 14 attacks after the arrests by Interpol," Mirkasymov told El Reg. "We have seen phishing emails on behalf of Oracle, Bank of Santander, Western Union, Akamai Technology, SWIFT, Apple, Kaspersky Lab, Diebold Nixdorf, Interkassa, Sepa Europe, etc. Also, at least two companies were hacked and their infrastructure was used by Cobalt to deliver emails with malware in attachment.

"This year Cobalt stole money through SWIFT [terminals*] from one European bank but all money was successfully returned. In previous year they managed to steal money via SWIFT [terminals] from [a] Russian bank." ®

* SWIFT has previously explained in both cases, as in others, that its network was not compromised and that it has offered its help to beef up security at its customer institutions.

More about

More about

More about


Send us news

Other stories you might like