Cobalt Group remains active phishing threat to financial services

News by Mark Mayne

A detailed new report into new malware from financial cyber-crime Cobalt Group reveals inner workings and operational activity.


ThreadKit by Cobalt Group (pic: Kwanchai Lerttanapunyaporn/EyeEm/GettyImages)

Notorious cyber-crime gang Cobalt Group remains a serious threat to the financial service sector, in spite of high-profile arrests, according to a new report.

The report focuses on a new version of ThreadKit, a macro delivery framework widely used by Cobalt Group in a string of attacks through 2017 and 2018. This latest version, seen in a campaign on October 30th, shows a slight evolution, according to researchers from Fidelis Threat Research.

Previous versions of ThreadKit were standalone unpacked executables, but recently the group has moved to hiding their code in a resource section to ensure a more stealthy approach. The sample is packed with a variant of the MAN crypter, which once unpacked sees an EXE file decode and load data from its resource section. Decoding is a simple XOR loop with a hardcoded key.

Within this decoded section are a number of routines responsible for resolving needed functions, decoding strings, downloading data from the internet and de-obfuscating and decoding the data it retrieves, which is also decoded using a hardcoded XOR key, which finally combine to provide the domain and URL where CobInt will be retrieved from. When loaded, the malware will sit in a loop beaconing to its command and control server and waiting for commands and modules to be executed.

CobInt is a stealthy, small footprint, reconnaissance-orientated modular downloader, first spotted by Proofpoint. The focus on stealthy observation remains a key one, with the researchers noting that only reconnaissance modules have been seen to be downloaded onto victim machines so far.

Jason Reaves, threat research principal engineer at Fidelis, told SC Media UK that active development of ThreadKit represented a wider threat from other criminal groups too: "These groups will normally use whatever tools will help them leverage the most infections, since ThreadKit is being actively developed then it is a tool that is heavily utilised by many groups – it’s not solely used by Cobalt Group."

Although the alleged leader of the gang was arrested in Spain in March 2018, the group has been able to continue development and operational improvements, such as modifying their tradecraft and launching effective campaigns.

Cobalt Group is thought to have attacked banks in more than 40 countries and has resulted in cumulative losses of over €1 billion (£902m) for the financial industry – the Cobalt malware alone enabled the criminal gang to steal up to €10 million (£9m) per heist.

The researchers from Fidelis Threat Research concluded: "Cobalt Group has shown that despite disruptions to their operations with the arrest of an alleged member, they maintain the capability to continue modifying their tradecraft and launch campaigns. Based on this recent activity, we assess with moderate confidence that Cobalt Group maintains the capability to continue development of their tradecraft. However, since May of this year Fidelis researchers have seen a slight decrease in their operations tempo which might be attributed to the arrest of an alleged member of the organisation."

The report also contains a helpful list of IOCs:

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event