The notorious Cobalt hackers have shown a change in tactics recently, switching their attacks to targeting banks themselves, instead of bank customers, Trend Micro reports.
Newly observed attacks appear to be part of a larger campaign that started in June and July with the targeting of Russian-speaking businesses. The techniques used are consistent with those associated with the Cobalt hacking group, but new infection chains were observed in recent incidents that targeted the bank’s employees.
Named after multifunctional penetration testing tool Cobalt Strike, the hacking group has been hitting ATMs and financial institutions across Europe. Unlike other groups that avoid Russia or Russian-speaking countries, Cobalt appears to be using the region as a testing ground for new malware and techniques, the same as the Lurk cybercriminal group, Trend Micro notes.
In the recent attacks, the Cobalt group has been using a different vulnerability than before and also started targeting the banks themselves with spear phishing emails. The hackers are now masquerading as the customers of their targets, as a state arbitration court, and as an anti-fraud and online security company.
The group used a Rich Text Format (RTF) document with malicious macros in an attack on August 31, but switched to an exploit for CVE-2017-8759 in spam runs observed on September 20 to 21. Patched in September last year, the flaw is a code injection/remote code execution vulnerability in Microsoft’s .NET Framework.
The Cobalt hackers used this vulnerability to drop and execute Cobalt Strike from a remote server they controlled. Previously, the security bug was used to deliver the FinFisher spyware, but Trend Micro says that other threat actors have been using it of late, including the cyberespionage group ChessMaster.
As part of the attacks leveraging macro-laden RTF files, a PowerShell command is executed to retrieve a dynamic-link library (DLL) file, and odbcconf.exe, a command-line utility related to Microsoft Data Access Components, is used. The DLL drops and executes a malicious JScript using regsvr32.exe, and another JScript is dropped and executed.
The code was designed to receive backdoor commands from a remote server, and the security researchers observed it receiving a PowerShell command to download Cobalt Strike, as well as attempting to connect to a command and control (C&C) server located in France.
Infections involving CVE-2017-8759 flaw start with RTF attachments too, designed to download a Simple Object Access Protocol (SOAP) Web Services Description Language (WSDL) definition from a remote server. The code is injected into memory and downloads and executes Cobalt Strike, which in turn connects to the C&C and waits for commands.
“Many security technologies and security researchers may be utilizing newer detection mechanisms, but cybercriminals are also keeping up, adjusting their tactics to evade them. In Cobalt’s case, for instance, they’ve looked into instances of valid Windows programs or utilities as conduits that allow their malicious code to bypass whitelisting,” the security researchers note.
Mitigation techniques involve securing the use of built-in interpreters or command-line applications, such as PowerShell, odbcconf.exe, and regsvr.exe; keeping systems patched and updated at all times; securing email gateways; using network segmentation to prevent lateral movement; monitoring the network and endpoint for anomalous activities.