# Positive Technologies - learn and secure ##### Home About us **August 1, 2017** ## Cobalt strikes back: an evolving multinational threat to finance� ### 1. Introduction **Bank robbery is perhaps the quintessential crime. The promise of immense, instant riches has lured** **many a criminal to target banks. And while the methods, tools, and scale of robbery have all changed,** **two things have stayed the same: the enticement of a hefty payday and the fact that no system is** **perfectly secure.** **In the modern digital economy, criminals are becoming ever more creative in ways to make off with** **millions without having to leave home. Despite enormous efforts, security is always a work in progress** **because of technical vulnerabilities and the human factor. Only a small fraction of banks today are able** **to withstand targeted attacks of the kind perpetrated by Cobalt, a cybercriminal group first described in�** **2016 that is currently active worldwide. Now the group has set its sights on more than just banks.** **[Researchers at Positive Technologies and other companies have described the group's methods](https://www.group-ib.com/cobalt.html)** **previously. In this report, we will describe the new techniques used by Cobalt in 2017, the changing** **target profile, and recommendations on how to avoid becoming their latest victim.�** ### 2. Executive summary **The Cobalt group has been quick to react to banks' protective measures. When spam filters on mail�** **servers began to block most of the group's phishing emails, which contained forged sender** **[information, the attackers changed techniques. Now they actively use Supply Chain Attacks to](https://www.sans.org/reading-room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252)** **leverage the infrastructure and accounts of actual employees at one company, in order to forge** **convincing emails targeting a different partner organization. This tactic has already been used by other** **attackers, such as when the infrastructure of M.E.Doc was used to spread the NotPetya virus, which** **[blocked workstations at a large number of major companies.](https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/)** **Cobalt has attacked banks, financial exchanges, insurance companies, investment funds, and other�** **financial organizations. The group is not afraid to use the names of regulatory authorities or security�** **topics to trick recipients into opening phishing messages from illegitimate domains.** **Here is some of the latest information about techniques used by the Cobalt group:** **Active attacks on bank partners in order to use partner infrastructure for sending phishing** **messages to banks.** **Phishing messages disguised as mailings from financial regulators.�** **Various types of malicious attachments: document with an exploit (.doc, .xls, .rtf), archive** **with an executable dropper file (.scr, .exe), and archive with LNK file (.lnk).�** **Among the first groups to get access to the latest version of the Microsoft Word Intruder 8�** **exploit builder, which made it possible to create documents exploiting vulnerability CVE-** **2017-0199.** **Poorly protected public sites are used to upload files and then download them to victim�** **computers.** **Phishing messages are sent both to corporate addresses and personal addresses of** **employees.** ### 3. What we already knew about Cobalt **Connect on Twitter** **[Follow @ptsecurity_uk](https://twitter.com/ptsecurity_uk)** **Connect on linkedin** **Blog Archive** **[▼ 2017 (18)](javascript:void(0))** **[▼ August (1)](javascript:void(0))** **Cobalt strikes back: an** **evolving** **multinational thr...** **[► July (1)](javascript:void(0))** **[► June (5)](javascript:void(0))** **[► May (2)](javascript:void(0))** **[► April (5)](javascript:void(0))** **[► March (2)](javascript:void(0))** **[► February (1)](javascript:void(0))** **[► January (1)](javascript:void(0))** **[► 2016 (18)](javascript:void(0))** **[► 2015 (22)](javascript:void(0))** **[► 2014 (18)](javascript:void(0))** **[► 2013 (15)](javascript:void(0))** **[► 2012 (45)](javascript:void(0))** **[► 2011 (22)](javascript:void(0))** **[► 2010 (27)](javascript:void(0))** **[► 2009 (6)](javascript:void(0))** **[► 2007 (1)](javascript:void(0))** **[► 2005 (1)](javascript:void(0))** **Search** **Labels** ### telecom phdays ##### Best of Positive Research Linux PCI DSS **[audit](http://blog.ptsecurity.com/search/label/audit)** **[positive technologies](http://blog.ptsecurity.com/search/label/positive technologies)** **[Subscribe](http://feeds.feedburner.com/positiveTechnologiesResearchLab)** **[▼](javascript:void(0))** **[►](javascript:void(0))** **[►](javascript:void(0))** **[►](javascript:void(0))** **[►](javascript:void(0))** **[►](javascript:void(0))** **[►](javascript:void(0))** **[►](javascript:void(0))** **[►](javascript:void(0))** ----- ### 4. Cobalt targets and objectives **The Cobalt group's traditional "stomping grounds" are the Eastern Europe, Central Asia, and** **Southeast Asia. In 2017, attacks grew to include North America, Western Europe, and even South** **America (Argentina).** **Of the companies targeted by Cobalt in phishing mailings, around 75 percent are in the financial�** **sector. Most of these financial companies are banks (90%), but others include financial exchanges,�** **investment funds, and lenders. This widening range of targets suggests that attacks on diverse** **companies with major financial flows are underway. This concurs with the forecast made by the�** **FinCERT of the Russian Central Bank, which predicted increased interest by cybercriminals in financial�** **exchanges in 2017.** **By attacking a financial exchange, the Cobalt group can "pump" or "dump" stocks, incentivizing�** **purchase or sale of shares in certain companies in a way that causes rapid fluctuations in share price.�** **Stock manipulation can affect not just the welfare of a single company, but the economy of entire** **countries. These methods were employed by the Corkow group in their 2016 attack on Russia's** **Energobank, which caused a 15-percent change in the exchange rate of the ruble and caused bank** **[losses of RUB 244 million (over USD 4 million).](http://fortune.com/2016/02/08/russian-hackers-currency-rate/)** **The remaining 25 percent of targeted companies represent diverse industries:** **Government** **Telecom/Internet** **Service Providers** **Manufacturing** ----- **g** **g** **q** **p** **p** **g** **messages sent as part of Cobalt campaigns. These messages were sent to over 3,000 people in 12** **countries. The addresses include corporate addresses but also personal addresses, since employees** **often can check their email on work computers.** **Notably, Cobalt attacks government organizations and ministries in order to use them as a stepping** **stone for other targets.** ### 5. Chronology of Cobalt 2017 campaign **In early 2017, we noted that the Cobalt group was actively registering illegitimate domains. As soon as** **these domains were used to send phishing mailings, we notified the security departments of the�** **targeted companies, as well as the FinCERT of the Russian Central Bank. Thanks to this timely** **intervention, the domains were blocked before the attackers could make use of them.** **Positive Technologies has investigated incidents related to attacks by the Cobalt group at a number of** **companies in 2017. In several cases, the attackers compromised company infrastructure and** **employee accounts in order to send phishing messages to partner companies (i.e., companies that** **have a legitimate pre-existing business relationship with banks) in North and South America, Europe,** **CIS countries, and Central and Southeast Asia. Against targets in the CIS countries, the attackers also** **used their own infrastructure, which included rented dedicated servers located in North America,** **Europe, and Southeast Asia.** **Several pieces of information suggest that the team responsible for the technical aspects of attacks** **consists of only a handful of people. When the attackers were at their most active inside target** **networks, the group would temporarily stop registering domain names and sending phishing mailings.** **Activity not aimed at the targeted infrastructure was not detected The days and times of mailings are** ----- **The Cobalt group relies on social engineering to penetrate networks—users open malicious** **attachments from phishing messages that are disguised by the attackers to resemble messages from** **legitimate companies and regulatory authorities. These attachments contain a document file, which�** **downloads a dropper from a remote server or contains the dropper in a password-protected archive.** **Small in size, a dropper is used to download and run other malicious software (in the case of Cobalt,** **the Beacon Trojan).** **Preparations and progression of a typical attack are illustrated below.** **For information on the actions of Cobalt attackers inside the network of a targeted organization, please** **[see our previous report.](https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf)** #### 1. Partner phishing **The Cobalt group's traditional method—sending messages with forged sender information—has fallen** **out of favor. Instead, the group has paid more attention to making sure that messages get delivered by** **dodging mail server filters. �** **For a targeted mailing ("spear phishing"), the criminals use previously registered domains. A domain** **name is chosen to be similar in meaning and spelling to the domain of the real company. For** **messages to make it through antispam and antivirus checks, the criminals correctly configure SPF�** **entries on the DNS server and indicate the correct DKIM signatures for their messages. This approach** **allows bypassing verification of the address of the sender's mail server, but offers digital evidence for�** **investigators.** **Despite the increased complexity involved, in the first quarter of 2017 the Cobalt group also began to�** **attack various companies that partner with banks, then sending phishing messages from these** **partners' infrastructures using the hacked accounts and mail servers of real employees.** ----- **This approach ensures that recipients are likely to trust the sender and has a number of advantages:** **1. Attackers get information stored on the servers and in the databases of the compromised** **partner organization. This information can be used to create convincing phishing messages.** **2. Attackers obtain access to employee accounts on workstations and mail servers, giving phishing** **messages a high degree of trust and plausibility among potential recipients.** **3. Messages from partners are not blocked by mail server filters.�** **The attackers carefully choose subject lines, recipient addresses, and attachment names** **that will "fly below the radar" so that recipients open the attachments enclosed with�** **phishing messages.** **Today, Cobalt uses phishing mailings at practically all stages of targeted attacks on banks.** **1. Initial compromise starts with one or more workstations at a partner organization, which have been** **infected via phishing.** **_A message informing of "missed payments"_** **_Instructions for connecting to a payment gateway—supposedly_** **2. The attack against the partner organization is then developed by means of internal mailings** **containing malicious documents supposedly from colleagues, management, or IT.** **_"Documents requested by the head of the department"_** ----- **_A message claiming to inform of payroll changes_** **3. Malicious messages are sent from the partner's infrastructure to banks and other financial�** **organizations.** **_A password-protected archive (with the password "doc") supposedly containing an invoice for ATM_** **_maintenance_** **In early 2017, 60 percent of phishing messages from Cobalt related to cooperation and service terms** **between banks and their partners.** **In 2017 Cobalt began to use security anxieties as an attack vector. The group has sent messages from** **illegitimate domains posing as VISA, MasterCard, and FinCERT units of the Russian Central Bank and** **National Bank of the Republic of Kazakhstan.** **Broken English and copied boilerplate text can be convincing in the right circumstances** ----- **_A fake FinCERT message_** **In Russia, this was a particularly ironic "twist" since FinCERT had been actively warning financial�** **companies about the Cobalt threat. So the group took advantage of such anxiety to send messages to** **banks with malicious documents, supposedly on how to keep bank systems safe** **_A vague warning that asks the user to act immediately_** **So by creating counterfeit domains superficially similar to those of real companies, the criminals use�** **the imprimatur of well-known organizations to convince users to open dangerous attachments.** **Since real messages from colleagues and partners usually arrive during working hours, the criminals** **structured the mailings so that employees would receive them during working hours (no matter in** **which time zone the attackers themselves were located).** **Most messages were received in the afternoon—the reason being that employees tend to be less** **vigilant, and therefore more susceptible to phishing, as the evening approaches.** **We noticed a slight variation in tactics against North American companies. Messages targeting U.S.** **and Canadian organizations were sent from the compromised infrastructure of a European partner. For** **the phishing messages to be plausibly European in origin, the criminals performed the mailing during** **European working hours, due to which the targets received emails in the early waking hours in the** **U.S. and Canada.** ----- **software Cobalt Strike.** **The Trojan is delivered and run with the help of a special dropper. The dropper consists of .scr or .exe** **files that are placed on the victim's computer in one of the following ways:�** **1. In a password-protected ZIP archive, the password to which is given in the text of the phishing** **message.** **2. Downloaded from a hacked website when a malicious attachment (.doc, .xls, .rtf) is opened from** **the phishing message.** **3. Downloaded from a hacked website based on commands coded in a LNK file that is in a ZIP�** **archive attached to the message.** **Poorly protected websites are compromised by the attackers and used, in essence, as file�** **hosts for spreading malicious files in attacks against banks.�** **52 percent of the Cobalt phishing messages reviewed by our researchers contained Microsoft Word** **documents.** **The malicious Microsoft Office documents that trigger download of the dropper are created using the�** **Ancalog and Microsoft Word Intruder (MWI) exploit kits. With these kits, even a hacker without** **programming skills can create malicious Word documents and PDF files in an intuitive visual interface�** **in just minutes.** **The Cobalt group was one of the first to get their hands on a restricted version of MWI that can create�** **documents exploiting the critical vulnerability CVE-2017-0199. Since the version in question was sold** **on an individual basis to customers well known to the developer, there may be a relationship between** **the Cobalt group and developer of MWI. One instructive fact in this regard is that less than a week** **passed between announcement of a new MWI version and use by Cobalt of attachments exploiting** **[vulnerability CVE-2017-0199.](https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target)** ----- **MWI is positioned by its developer as a tool for performing APT attacks; if the software is instead used** **to create files for mass spamming, the developer revokes the license. For users of the restricted�** **version of MWI, the developer offers a sort of "scrubbing" so that files will not be flagged by currently�** **available antivirus scanners.** **_The MWI developer boasting of the "product" online_** **Malicious documents sent by Cobalt to banks and their partners use exploits for** **vulnerabilities CVE-2017-0199, CVE-2015-1641, and CVE-2012-0158 in order to** **download and run the dropper on the victim system.** **_An official-seeming document about how to pay overdue debts�_** **When the attachment is opened, malicious code is run. This code takes advantage of vulnerabilities in** **[Microsoft Office to download the dropper from a remote server and �run it. After the code finishes�](https://blog.fortinet.com/2017/05/30/spear-phishing-fileless-attack-with-cve-2017-0199)** **running, a decoy document (such as shown in the screenshot) is displayed.** ----- **the site or law enforcement may seize server equipment as part of a criminal investigation. Public** **knowledge of such incidents is likely to cause severe damage to company reputation.** **Usually Cobalt phishing messages are sent in several waves. In the first wave, the criminals send�** **Microsoft Office documents created using the described exploit kits.�** **If there are no "hits" from targeted users within 24 hours of a mailing (this is possible if a company has** **up-to-date versions of Microsoft Office that are free of the vulnerabilities targeted by the exploit�** **builders), the attackers send a second wave.** **Attached to the messages is a dropper, consisting of .exe or .scr executable files, in a password-�** **protected archive. By placing the files in an archive, the attackers can bypass some filtering and�** **antivirus systems. Solutions are available for real-time scanning of encrypted archives (when the** **password is indicated in the body of the message, as is the case here) but organizations making use** **of such software are few and far between.** **In addition, we have observed a separate mailing in which the attached archives contained LNK files;�** **as in all the other cases, these files are used to download the Beacon dropper. �** #### 3. Cobalt infrastructure **Since a Cobalt mailing is sent to thousands of recipients, the group clearly is using some sort of** **automation. Based on analysis of the phishing messages, we believe that the messages are sent from** **[phishing domains with the help of alexusMailer v2.0, a freely available PHP script used to send emails](https://github.com/AlexusBlack)** **anonymously.** **_alexusMailer and other scripts are available on forums_** **The script includes support for multithreaded sending, a visual editor for messages, import of recipient** **lists and other fields from files, templates, attaching any number of files to a message, and more.�** **Users can distribute sending tasks over a number of servers and set a delay for message sending.** ----- **_alexusMailer interface_** **However, when messages are sent with alexusMailer, the message header contains an artifact: the X-** **PHP-Originating-Script field contains the name of the file of the PHP script that was used to send the�** **messages. This means that on servers used for sending, the php.ini configuration file is set to log�** **outgoing mail.** **The Cobalt group uses widely availably public mail services, as well as services that allow anonymous** **registration of temporary addresses. Some of the domains used for reply addresses in Cobalt mailings** **include: TempMail (@doanart.com, @rootfest.net), Mail.com (@mail.com), AT&T Mail (@att.net,** **@sbcglobal.net), and Yahoo! (@ymail.com). These same services were used by Cobalt to create** **email addresses when registering domains.** **Based on the times at which the domains in the Cobalt infrastructure were registered, we found that** **the attackers tended to register domains towards the beginning of the week. This enables us to** **speculate on their working schedule:** **− On weekdays, the attackers actively register domains, prepare hacking tools, and (less** **often) send phishing mailings.** **− At the end of the week, the group concentrates on sending out mailings and advancing** **their attacks within the infrastructure of compromised organizations.** **− Since phishing mailings are sent out during working hours, domains are usually** **registered during the interval from 6:00 PM to 12:00 AM (UTC+0), which coincides with the** **end of the working day in European countries.** ----- **It would seem that after registering a domain at the beginning of the week, the Cobalt group takes** **some time to prepare for their upcoming phishing campaign, which as noted usually comes at the end** **of the week. On average, the time from domain registration to the first phishing mailing with that same�** **domain is four days.** **Our researchers discovered a number of Cobalt phishing domains before the group was able to use** **them in its phishing campaigns. By acting quickly, it was possible to block the domains.** **Working in cooperation with industry regulators in Russia and other countries, we have succeeded in** **disabling delegation for all .ru domains and most other top-level domains known to be associated with** **Cobalt.** ### 7. Conclusion **The barrier to entry for would-be cybercriminals keeps falling every year. No longer do hackers need to** **look for zero-day vulnerabilities and expensive tools to perform attacks. Instead, all they require are** **basic programming skills, commercially available software, and instructions posted on the Internet.** **Banks and other companies must realize that attackers are constantly refining the tools and�** **techniques they use. In today's environment, a company can fall victim just by getting caught in the** **middle as attackers scout for stepping stones to reach their ultimate target. That's why responsible** **companies can no longer remain complacent about security and pretend that hackers go after only** **large companies and banks, or target only far-away areas of the world. No matter their industry or** **ownership—whether banks, state-owned organizations, or whatever else—companies must keep** **protection of their digital infrastructure current and proactively update their software and operating** **systems. Employees must be trained to increase their security awareness and resist phishing** **attempts. Moreover, scanning should go beyond just incoming messages and attachments to include** **outgoing messages, with retrospective analysis. Public-facing web applications must also be protected** **—if company infrastructure or sites are compromised by an attacker, this can wound company** **reputation, cause blocking of company servers, trigger a drop in search engine ratings, and drive away** **customers.** **Information about the extent of losses caused by the Cobalt group in 2017 is not yet available.** **Perhaps warnings by bank regulators headed off some of the group's efforts. We will continue to** **monitor the Cobalt group and report new details as they become available. Judging by the scale of** **Cobalt campaigns worldwide, multimillion-dollar losses by banks are a real possibility. And if attacks on** **financial exchanges are successful, the consequences will include not only direct losses to individual�** **companies, but rate turbulence on world currency markets.** **[Author Positive Research at 1:00 AM](https://www.blogger.com/profile/12273696227623127095)** **[Tags Cobalt, hacks, research](http://blog.ptsecurity.com/search/label/Cobalt)** ## No comments: Post a Comment **Enter your comment...** **Comment as:** **[Select profile...]** **PublishPublish** **PreviewPreview** **[Home](http://blog.ptsecurity.com/)** **[Older Post](http://blog.ptsecurity.com/2017/07/recovering-data-from-disk-encrypted-by.html)** **[Subscribe to: Post Comments (Atom)](http://blog.ptsecurity.com/feeds/8115373785289763196/comments/default)** **Enter your comment...** **PublishPublish** -----