{
	"id": "b0f9233d-394f-4d0f-b813-d0186d96562c",
	"created_at": "2026-04-06T00:21:23.992673Z",
	"updated_at": "2026-04-10T03:33:30.006229Z",
	"deleted_at": null,
	"sha1_hash": "99d7bc8a82fc5f4e06b02c3d573790644cc03d09",
	"title": "Cobalt Strikes Again, Spam Runs Target Russian Banks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 97187,
	"plain_text": "Cobalt Strikes Again, Spam Runs Target Russian Banks\r\nPublished: 2017-11-20 · Archived: 2026-04-05 13:49:05 UTC\r\nThe waves of backdoor-laden spam emails we observed during June and July that targeted Russian-speaking\r\nbusinesses were part of bigger campaigns. The culprit appears to be the Cobalt hacking group, based on the\r\ntechniques used. In their recent campaigns, Cobalt used two different infection chains, with social engineering\r\nhooks that were designed to invoke a sense of urgency in its recipients—the bank’s employees.\r\nCobalt was named after Cobalt Strike, a multifunctional penetration testing tool similar to Metasploit. The hacking\r\ngroup misused Cobalt Strike, for instance, to perpetrate ATM cyber heists and target financial institutions across\r\nEurope, and interestingly, Russia. Unlike other groups that avoid Russia (or Russian-speaking countries) to elude\r\nlaw enforcement, Cobalt’s attack patterns suggest that the group uses Russia as a testing ground where they try\r\ntheir latest malware and techniques on Russian banks. If successful, they go on to attack financial institutions\r\noutside the country. This resembles the tactics of another cybercriminal group, Lurk.\r\nOf note were Cobalt’s other targets. The hacking group's first spam run also targeted a Slovenian bank, while the\r\nsecond run targeted financial organizations in Azerbaijan, Belarus, and Spain.\r\nChanging Tacks\r\nApart from using a different vulnerability (CVE-2017-8759), what’s unique in their latest spear phishing\r\ncampaigns, compared to their previous spam runs and even other related cybercriminal campaigns, is an apparent\r\nrole change. The modus commonly seen in attack chains that target end users (i.e., bank customers) is now leveled\r\nagainst the banks themselves. While they previously posed as sales and billing departments of legitimate\r\ncompanies, they’re now masquerading as the customers of their targets (banks), a state arbitration court, and\r\nironically, an anti-fraud and online security company notifying the would-be victim that his “internet resource”\r\nhas been blocked.\r\nThey also diversified tacks. The first spam run on August 31 used a Rich Text Format (RTF) document laden with\r\nmalicious macros. The second, which ran from September 20 to 21, used an exploit for CVE-2017-8759 (patched\r\nlast September), a code injection/remote code execution vulnerability in Microsoft’s .NET Framework. The\r\nvulnerability was used to retrieve and execute Cobalt Strike from a remote server they controlled. We also saw\r\nother threat actors using the same security flaw of late, like the cyberespionage group ChessMaster.\r\nBelow are snapshots of some of the spam emails they sent to their targets:\r\nFigure 1. Spam emails containing RTF documents embedded with malicious macros\r\nInfection Chain via Macros\r\nHere’s a visualization of this infection chain:\r\nFigure 2. Infection chain of Cobalt’s latest spear phishing campaign using malicious macro\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/\r\nPage 1 of 5\n\nThe RTF file contains macro codes that will execute a PowerShell command to retrieve a dynamic-link library\r\n(DLL) file before executing it using odbcconf.exe, a command-line utility related to Microsoft Data Access\r\nComponents. The DLL will drop and execute a malicious JScript using regsvr32.exe, another command-line\r\nutility, to download another JScript and execute it using the same regsvr32.exe. This JScript will then connect to a\r\nremote server and wait for backdoor commands. During analysis, we received a PowerShell command that\r\ndownloads Cobalt Strike from hxxps://5[.]135[.]237[.]216[/]RLxF. It will ultimately try to connect to their\r\ncommand and control (C\u0026C) server, 5[.]135[.]237[.]216[:]443, which we found located in France.\r\nFigure 3. The malicious RTF file asking would-be victims to “Enable Content” (left) and what happens after\r\nclicking it, when the macro codes are run (right)\r\nTo further illustrate this infection chain: after clicking “Enable Content”, it will run the macro codes that will\r\ncheck if the machine is 64-bit, decrypt and execute a PowerShell command, remove the picture in the document,\r\nand write “Call me” in it.  The PowerShell command is for downloading a DLL file from\r\nhxxp://visa[-]fraud[-]monitoring[.]com[/]t[.]dll, saving it in the affected machine, then executing it via the\r\ncommand, odbcconf.exe /S /A {REGSVR \"\"C:\\Users\\Public\\file.dll\"\"}. The DLL file will drop a Windows Script\r\nComponent (SCT) file embedded with JScript in the %AppData% folder using a random name and append it with\r\na .TXT extension.\r\nFigure 4. The macro codes (above) and the DLL file executing the SCT file via regsvr32.exe (below)\r\nThe SCT file will check if the system has an internet connection; if it's connected, it will proceed to download and\r\nexecute a backdoor from the remote server.\r\n  \r\nFigure 5. The file downloaded from the remote server, which is actually a backdoor\r\nSome of the backdoor’s commands are:\r\nd\u0026exec — download and execute PE file\r\nmore_eggs — download additional scripts\r\ngtfo — delete files/startup entries and terminate\r\nmore_onion — run additional script\r\nmore_power — run command shell commands\r\nInfection Chain via CVE-2017-8759\r\nThe RTF attachment used in their second spam run contained an exploit for CVE-2017-8759. It entails\r\ndownloading a specified Simple Object Access Protocol (SOAP) Web Services Description Language (WSDL)\r\ndefinition from a remote server, which is injected into memory. The codes include downloading and retrieving\r\nCobalt Strike, which will connect to the C\u0026C server 86[.]106[.]131[.]207 and wait for commands.\r\nFigure 6. Infection chain using CVE-2017-8759\r\nFigure 7. Spam emails whose attachments contain an exploit for CVE-2017-8759\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/\r\nPage 2 of 5\n\nThe same exploit technique has been employed to deliver the cyberespionage malware FinSpy. In Cobalt’s case, a\r\nSOAP moniker is embedded in the RTF file, which facilitates the exploit for CVE-2017-8759 by retrieving the\r\nmalicious SOAP WSDL definition via hxxp://servicecentrum[.]info[/]test[.]xml. Contents of this Extensible\r\nMarkup Language (XML) file will be parsed, which will generate a Source Code (CS) file. It will then be\r\ncompiled by the .NET Framework, which Microsoft Office will load as a library.\r\nDepending on the infected machine’s architecture, the library will inject codes that will download and execute the\r\nfinal payload. It’s named “ZxT6” in 32-bit systems and “MZBt” in 64-bit machines. The endgame is to connect to\r\nthe C\u0026C server, 86[.]106[.]131[.]207, which we found located in Germany. The final payload is a DLL that is a\r\ncomponent of Cobalt Strike. It will connect to 86[.]106[.]131[.]207[:]443 to wait for further commands.\r\nThis is what the attacker’s panel looks like when trying to interact with the targeted victims:\r\nFigure 8. Dashboard of Cobalt Strike, which is also abused by various attackers\r\nMitigations\r\nMany security technologies and security researchers may be utilizing newer detection mechanisms, but\r\ncybercriminals are also keeping up, adjusting their tactics to evade them. In Cobalt’s case, for instance, they’ve\r\nlooked into instances of valid Windows programs or utilities as conduits that allow their malicious code to bypass\r\nwhitelisting.\r\nIndeed, Cobalt hacking group's attacks exemplify the importance of defense in depth. Here are some best practices\r\nto defend against these types of threats:\r\nBlacklist, disable, and secure the use of built-in interpreters or command-line applications, such\r\nas PowerShell, odbcconf.exe, and regsvr.exe\r\nRegularly patch and keep the system and its applications updated to prevent attackers from exploiting\r\npossible vulnerabilities; consider virtual patching for legacy/end-of-life systems\r\nSecure the email gateway, given how Cobalt still relies on email as entry point\r\nImplement network segmentation and data categorization to thwart lateral movement\r\nProactively monitor the network and endpoint for anomalous activities; deploy firewalls and sandbox as\r\nwell as intrusion detection and prevention systems to reduce attack surface\r\n \r\nTrend Micro Solutions\r\nTrend Micro XGen™ security provides a cross-generational blend of threat defense techniques against a full range\r\nof threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning\r\nto secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads.\r\nWith capabilities like web/URL filtering, behavioral analysis, and custom sandboxing, XGen™ protects against\r\ntoday’s purpose-built threats that bypass traditional controls, exploit known, unknown, or undisclosed\r\nvulnerabilities. Smart, optimized, and connected, XGen™ powers Trend Micro’s suite of security solutions:\r\nHybrid Cloud Security, User Protection, and Network Defense.\r\nIndicators of Compromise (IoCs):\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/\r\nPage 3 of 5\n\nHashes related to the spear phishing campaign using malicious macro codes (SHA256): Email attachments/RTF\r\nfiles detected as W2KM_CALLEM.ZGEI-A:\r\nccb1fa5cdbc402b912b01a1838c1f13e95e9392b3ab6cc5f28277c012b0759f9\r\ndcad7f5135ffa5e98067b46feec2563be8c67934eb3b14ef1aad8ff7fe0892c5\r\n                                                                                                                                                      Malicious DLL file\r\ndetected as TROJ_DROPFCKJS.ZHEI-A\r\ndab05e284a9cbc89d263798bae40c9633ff501e19568c2ca21ada58e90d66891\r\nMalicious JScript file (35CE74A54720.txt) detected as JS_NAKJS.ZGEI-A:\r\n2b4760b5bbe982a7e26af4ee618f8f2dcc67dfe0211f852bf549db457acd262c\r\nMalicious TXT file (README.TXT) detected as JS_GETFO.ZIEI-A:\r\ne9ab3195f3a974861aa1135862f6c24df1d7f5820e8c2ac6e61a1a5096457fc3\r\nBackdoor (RLxF) detected as BKDR_COBALT.ZHEJ-A:\r\n0dedb345d90dbba7e83b2d618c93d701ed9e9037aa3b7c7c58b62e53dab7d2ce\r\nHashes related to the spear phishing campaign exploiting CVE-2017-8759: Email attachments/RTF files detected\r\nas TROJ_MDROP.ZHEI-A:\r\neb4325ef1cbfba85b35eec3204e7f79e4703bb706d5431a914b13288dcf1d598\r\na0292cc74ef005b2e5e0889d1fc1711f07688b93b16ebc3174895d7752a16a23\r\n94155a2940a1d49a92a602a5232f156eeb1d35018847edb9c6002cefe4c49f94\r\n69e55d2e3207e29d9efc806ff36f13cd49fb92f7c12f0145f867674b559734a3\r\nMalicious XML file (test.xml) detected as TROJ_CVE20178759.ZIEI-A:\r\n0f5c5d07ed0508875330a0cb89ba3f88c58f92d5b1536d20190df1e00ebd3d91\r\nBackdoor (ZxT6) detected as BKDR_COBALT.ZIEI-A:\r\n9d9d1c246ba83a646dd9537d665344d6a611e7a279dcfe288a377840c31fe89c\r\nBackdoor (MZBt) detected as BKDR64_COBALT.ZIEI-A:\r\ne78e800bc259a46d51a866581dcdc7ad2d05da1fa38841a5ba534a43a8393ce9\r\nRelated malicious URLs:\r\nhxxp://visa-fraud-monitoring[.]com/t[.]dll\r\nhxxps://webmail[.]microsoft[.]org[.]kz/portal/readme[.]txt\r\nhxxps://webmail[.]microsoft[.]org[.]kz/portal/ajax[.]php\r\nhxxp://servicecentrum[.]info/test[.]xml\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/\r\nPage 4 of 5\n\nhxxps://5[.]135[.]237[.]216[/]RLxF\r\nhxxps://86[.]106[.]131[.]207[/]ZxT6\r\nhxxps://86[.]106[.]131[.]207[/]MZB\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MISPGALAXY",
		"MITRE",
		"Malpedia"
	],
	"references": [
		"https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/"
	],
	"report_names": [
		"cobalt-spam-runs-use-macros-cve-2017-8759-exploit"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "dcba8e2b-93e0-4d6e-a15f-5c44faebc3b1",
			"created_at": "2022-10-25T16:07:23.816991Z",
			"updated_at": "2026-04-10T02:00:04.758143Z",
			"deleted_at": null,
			"main_name": "Lurk",
			"aliases": [],
			"source_name": "ETDA:Lurk",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434883,
	"ts_updated_at": 1775792010,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/99d7bc8a82fc5f4e06b02c3d573790644cc03d09.pdf",
		"text": "https://archive.orkl.eu/99d7bc8a82fc5f4e06b02c3d573790644cc03d09.txt",
		"img": "https://archive.orkl.eu/99d7bc8a82fc5f4e06b02c3d573790644cc03d09.jpg"
	}
}