Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Malware & Threats

Multi-Stage Malware Heavily Used in Recent Cobalt Attacks

The Russia-based Cobalt hacking group has made heavy use of the CobInt malware in recently observed campaigns, Proofpoint’s security researchers warn. 

The Russia-based Cobalt hacking group has made heavy use of the CobInt malware in recently observed campaigns, Proofpoint’s security researchers warn. 

The Cobalt Gang appeared to have stopped using the malware as a first-stage downloader earlier this year, but an August campaign targeting Russian and Romanian banks revealed that they are using it again. 

Known for targeting financial institutions worldwide, the group has also launched cyberattacks against organizations in the government, telecom/Internet, service providers, manufacturing, entertainment, and healthcare industries. 

Since July, the multi-stage CobInt malware has been a constant presence in the threat actor’s attacks, delivered via malicious Office documents built using the ThreadKit exploit builder

The malicious documents are targeting recent vulnerabilities in Microsoft Office, namely CVE-2017-8570, CVE-2017-11882, and CVE-2018-0802. The malicious files either attempt to drop a stage 1 payload or link to the CobInt downloader directly. 

Between August 2 and September 4, Proofpoint detected four Cobalt attacks attempting to drop CobInt. The most recent of the incidents leveraged an Office document with a relationship object to fetch an external VBscript exploiting CVE-2018-8174 for the payload’s execution.

Written in C, CobInt is a downloader malware that can be broken up into three stages: an initial downloader, the main component, and additional modules.

Advertisement. Scroll to continue reading.

The first stage’s purpose is to download the main CobInt component. It features encrypted command and control (C&C) host and URI, hides its functionality through the use of Windows API function hashing, and downloads the next stage via HTTPS. 

CobInt’s main component is downloaded in the form of a DLL that stage 1 also executes. The main component fetches and runs various modules from the C&C. The malware uses HTTPS to communicate with the server. 

Proofpoint’s researchers discovered four commands that the C&C server can send to the malware: load/execute module; stop polling C&C; execute function set by module; and update C&C polling wait time.

Loaded as shellcode, the modules start executing at the indicated entry point. The malware was observed loading two modules from the C&C, one to send a screenshot to the server, and the other to send a list of running process names. 

These, Proofpoint notes, are reconnaissance steps that the attackers are likely to follow with the deployment of additional modules to the compromised systems of interest. 

“CobInt provides additional evidence that threat actors […] are increasingly looking to stealthy downloaders to initially infect systems and then only install additional malware on systems of interest. […] This appears to be the latest trend as threat actors look to increase their effectiveness and differentiate final payloads based on user profiles,” Proofpoint concludes. 

Related: New Cobalt Campaign Targets Russian and Romanian Banks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...