Security Experts:

Connect with us

Hi, what are you looking for?



Cobalt Hackers Now Targeting Banks Directly

The notorious Cobalt hackers have shown a change in tactics recently, switching their attacks to targeting banks themselves, instead of bank customers, Trend Micro reports.

The notorious Cobalt hackers have shown a change in tactics recently, switching their attacks to targeting banks themselves, instead of bank customers, Trend Micro reports.

Newly observed attacks appear to be part of a larger campaign that started in June and July with the targeting of Russian-speaking businesses. The techniques used are consistent with those associated with the Cobalt hacking group, but new infection chains were observed in recent incidents that targeted the bank’s employees.

Named after multifunctional penetration testing tool Cobalt Strike, the hacking group has been hitting ATMs and financial institutions across Europe. Unlike other groups that avoid Russia or Russian-speaking countries, Cobalt appears to be using the region as a testing ground for new malware and techniques, the same as the Lurk cybercriminal group, Trend Micro notes.

Last year, Russian authorities arrested 50 individuals associated with the use of the Lurk banking Trojan and supposedly took down the Angler exploit kit in the process.

In the recent attacks, the Cobalt group has been using a different vulnerability than before and also started targeting the banks themselves with spear phishing emails. The hackers are now masquerading as the customers of their targets, as a state arbitration court, and as an anti-fraud and online security company.

The group used a Rich Text Format (RTF) document with malicious macros in an attack on August 31, but switched to an exploit for CVE-2017-8759 in spam runs observed on September 20 to 21. Patched in September last year, the flaw is a code injection/remote code execution vulnerability in Microsoft’s .NET Framework.

The Cobalt hackers used this vulnerability to drop and execute Cobalt Strike from a remote server they controlled. Previously, the security bug was used to deliver the FinFisher spyware, but Trend Micro says that other threat actors have been using it of late, including the cyberespionage group ChessMaster.

As part of the attacks leveraging macro-laden RTF files, a PowerShell command is executed to retrieve a dynamic-link library (DLL) file, and odbcconf.exe, a command-line utility related to Microsoft Data Access Components, is used. The DLL drops and executes a malicious JScript using regsvr32.exe, and another JScript is dropped and executed.

The code was designed to receive backdoor commands from a remote server, and the security researchers observed it receiving a PowerShell command to download Cobalt Strike, as well as attempting to connect to a command and control (C&C) server located in France.

Infections involving CVE-2017-8759 flaw start with RTF attachments too, designed to download a Simple Object Access Protocol (SOAP) Web Services Description Language (WSDL) definition from a remote server. The code is injected into memory and downloads and executes Cobalt Strike, which in turn connects to the C&C and waits for commands.

“Many security technologies and security researchers may be utilizing newer detection mechanisms, but cybercriminals are also keeping up, adjusting their tactics to evade them. In Cobalt’s case, for instance, they’ve looked into instances of valid Windows programs or utilities as conduits that allow their malicious code to bypass whitelisting,” the security researchers note.

Mitigation techniques involve securing the use of built-in interpreters or command-line applications, such as PowerShell, odbcconf.exe, and regsvr.exe; keeping systems patched and updated at all times; securing email gateways; using network segmentation to prevent lateral movement; monitoring the network and endpoint for anomalous activities.

Related: Cobalt Hackers Now Using Supply Chain Attacks

Related: Microsoft Patches Zero-Day, Many Other Flaws

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.