The financially-motivated “Cobalt” hackers have been establishing a foothold onto victim machines using a piece of malware called SpicyOmelette, Secureworks reveals.
Active since at least 2016 and also referred to as GOLD KINGSWOOD, the Cobalt Gang has been credited with a variety of attacks against financial institutions, including recent attacks against Russian and Romanian banks.
One of the tools the group has been heavily using in their attacks is the CobInt malware, but Secureworks says that the JavaScript remote access Trojan (RAT) dubbed SpicyOmelette was also used in several attacks attributed to the group this year.
Using techniques similar to those employed by state-sponsored actors, the Cobalt group is believed to have stolen around $1.2 billion as of March 2018, Secureworks’ security researchers reveal.
SpicyOmelette, they explain, is a tool used mainly during the initial exploitation of a targeted organization. Usually delivered via phishing emails, the malware includes a series of evasion techniques to hinder prevention and detection.
“GOLD KINGSWOOD delivered SpicyOmelette through a phishing email containing a shortened link that appeared to be a PDF document attachment. When clicked, the link used the Google AppEngine to redirect the system to a GOLD KINGSWOOD-controlled Amazon Web Services (AWS) URL that installed a signed JavaScript file, which was SpicyOmelette,” Secureworks explains.
The hackers used a valid digital certificate to sign the malicious script. Although users might have been warned about running external content, the system would have also indicated that the script was signed with a valid certificate.
By passing parameters to a valid Microsoft utility, SpicyOmelette provides threat actors with the ability to execute arbitrary JavaScript code on compromised systems, thus being able to bypass application-whitelisting defenses.
Capable of detecting the presence of 29 different antivirus tools on the infected system, the RAT allows attackers to profile the machine by gathering information such as running software, system name, IP address, and the like, as well as to install additional malware.
The malware and other post-compromise tools regularly used by Cobalt can then be leveraged to escalate privileges through the theft of account credentials, to evaluate the compromised environment and identify desirable systems, and to deploy malware specifically designed to target those systems.
Secureworks expects the Cobalt Gang to continue to evolve its toolset and operations, suggesting that financial organizations of all sizes and in all geographies could be exposed to the group’s attacks. Due to its history of successful campaigns, the actor should be seen as a formidable threat, the researchers say.
Related: Multi-Stage Malware Heavily Used in Recent Cobalt Attacks
Related: New Cobalt Campaign Targets Russian and Romanian Banks