Security Experts:

Connect with us

Hi, what are you looking for?



Cobalt Hackers Now Using Supply Chain Attacks

After expanding operations to Americas earlier this year, the financially-motivated “Cobalt” cybercriminal group has changed techniques and is now using supply chain attacks to target an organization’s partners, Positive Technologies reveals.

After expanding operations to Americas earlier this year, the financially-motivated “Cobalt” cybercriminal group has changed techniques and is now using supply chain attacks to target an organization’s partners, Positive Technologies reveals.

First described in 2016 and currently active worldwide, Cobalt is quick to react to banks’ protective measures, and the use of the infrastructure and accounts of a company’s employees for nefarious operations is proof of that. To trick recipients into opening phishing messages from illegitimate domains, the group also uses the names of regulatory authorities or security topics, researchers say.

The group is targeting banks, financial exchanges, insurance companies, investment funds, and other financial organizations. The attackers use phishing messages disguised as mailings from financial regulators and employ various types of malicious attachments, including malicious documents or ZIP archives packing executables or shortcut files.

The hackers, Positive Technologies says, were among the first to have access to the latest version of the Microsoft Word Intruder 8 exploit builder, which allowed them to create files exploiting CVE-2017-0199, a vulnerability patched in April. The group also abuses poorly protected public sites to drop files onto the victims’ computers, and delivers the phishing messages to both corporate and personal addresses of targeted employees.

Last year, the group was targeting financial institutions in Eastern Europe, Central Asia, and Southeast Asia, but the target list expanded in 2017 to include North America, Western Europe, and even South America (Argentina).

Around 75% of the targeted organizations are in the financial sector, the researchers say (90% of the targeted financial organizations are banks). However, the group also started targeting financial exchanges, investment funds, and lenders, and researchers say this is indicative that “attacks on diverse companies with major financial flows are underway.”

In addition to financial institutions, the hackers also target government, telecom/Internet, service providers, manufacturing, entertainment, and healthcare organizations. “Cobalt attacks government organizations and ministries in order to use them as a stepping stone for other targets,” Positive Technologies said.

The researchers suggest that only a handful of people constitute the team in charge with the technical aspects of Cobalt’s attacks. The same team appears responsible for registering malicious domains and for sending phishing emails.

The emails typically contain a malicious attachment either meant to fetch a dropper from a remote server or containing the dropper in a password-protected archive. The dropper would then download and execute the Beacon Trojan (which has been also associated with the FIN7/Carbanak group).

By forging sender information, the group delivers phishing emails to compromise a specific organization that partners with banks, then starts “sending phishing messages from these partners’ infrastructures using the hacked accounts and mail servers of real employees.” Because of that, the final recipients are likely to trust the sender, which increases the chances of a successful infection.

“The attackers carefully choose subject lines, recipient addresses, and attachment names that will ‘fly below the radar’ so that recipients open the attachments enclosed with phishing messages,” the researchers say.

More than half (60%) of the phishing messages associated with Cobalt were related to cooperation and service terms between banks and their partners. The group also used security anxieties as an attack vector, sending messages from illegitimate domains posing as VISA, MasterCard, and FinCERT units of the Russian Central Bank and National Bank of the Republic of Kazakhstan.

The security researchers believe that the automation tool the group uses to send messages to thousands of recipients is alexusMailer v2.0, a freely available PHP script that offers anonymity and which supports multithreaded sending.

The group also uses widely available public mail services, along with services that allow anonymous registration of temporary addresses.

The group tends to register domains towards the beginning of the week, then prepare hacking tools, and concentrate on sending out mailings and advancing their attacks within the infrastructure of compromised organizations at the end of the week. On average, the time between a domain’s registration and its use in a campaign is four days.

“Since phishing mailings are sent out during working hours, domains are usually registered during the interval from 6:00 PM to 12:00 AM (UTC+0), which coincides with the end of the working day in European countries,” the researchers say.

The researchers were also able to discover and block newly registered Cobalt phishing domains before they were used in campaigns. The researchers also worked with industry regulators in Russia and other countries to disable delegation for all .ru domains and other top-level domains associated with the group.

“Information about the extent of losses caused by the Cobalt group in 2017 is not yet available. Perhaps warnings by bank regulators headed off some of the group’s efforts. Judging by the scale of Cobalt campaigns worldwide, multimillion-dollar losses by banks are a real possibility. And if attacks on financial exchanges are successful, the consequences will include not only direct losses to individual companies, but rate turbulence on world currency markets,” the researchers conclude.

Related: FIN7 Hackers Change Phishing Techniques

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...


Video games developer Riot Games says source code was stolen from its development environment in a ransomware attack


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.