The Cobalt Gang cybercrime group has launched a new round of phishing campaigns targeting primarily Russian and Romanian banking customers with CobInt, a recently discovered malicious backdoor and downloader.
Written in C, CobInt is comprised of three stages: a first-stage downloader, the primary payload, and a series of modules capable of reconnaissance activities such as capturing screenshots and compiling a list of running process names.
The main payload is what actually communicates with the attackers’ command-and-control server and downloads the additional modules via HTTPS, Proofpoint reported in a 11 September blog post. The C&C server response is intentionally designed to look like an HTML file as a technique for avoiding analysis tools.
Group-IB discovered the spyware earlier this year and reported on it in May, but according to Proofpoint, Cobalt’s use of CobInt waned in the ensuing weeks, until activity suddenly picked up again in July with a series of email-based phishing operations.
Most of these scam emails have exhibited email addresses with domains that at first glance appear to be from regional banks or financial organisations, services or vendors. And the subject lines have typically included verbiage suggesting that the recipient has been contacted for reasons related to fraud or theft, blocked transactions, or a request for data.
For instance, on 4 September the attackers sent emails pretending to be from Raiffeisen Bank in Romania. "The messages contained a Microsoft Word attachment that used a relationship object to download an external VBscript file containing an exploit" for CVE-2018-8174. The actors used this Windows VBScript Engine RCE flaw in order to deliver CobInt, Proofpoint reported.
In an earlier 16 August email campaign, the attackers sent communications that appeared to come from Russia’s Alfa Bank. These emails featured URLs linking to a hosted ThreadKit exploit document that exploited one of three Microsoft Office RCE bugs — CVE-2017-8570, CVE-2017-11882 and CVE-2018-0802 — in order to execute the embedded CobInt first-stage downloader.
Two more related campaigns took place on 2 August and 14 August, distributing emails pretending to be from Interkassa and the Single Euro Payments Area (SEPA), respectively. Interkassa is a company based in Georgia (the country) and Latvia that provides a system online retailers use to receive payments, while SEPA is a payment-integration initiative of the European Union to help simplify euro-based bank transfers.
The fake SEPA emails, which purported to contain an update on the organisation’s service coverage, distributed CobInt via the three previously cited Office exploits, as well as through URLs that linked directly to the CobInt downloader. The phony Interkassa emails, on the other hand, linked to two URLs — one that linked to a macro document that installed the More_eggs downloader, and another that linked directly to the CobInt stage 1 executable, Proofpoint reported.
Late last month, Arbor Networks also reported on the Cobalt Group’s use of CobInt (Arbor more descriptively refers to it as CobInt/COOLPANTS) in recent phishing campaigns targeting customers of NS Bank in Russia and Banca Comerciala Carpatic/Patria in Romania.
By many accounts, Cobalt Group is strongly affiliated with the cyber-criminal gang known as Carbanak or FIN7, which has been the subject of multiple high-profile international arrests this year.
"CobInt provides additional evidence that threat actors… are increasingly looking to stealthy downloaders to initially infect systems, and then only install additional malware on systems of interest," Proofpoint concluded in its report.