CyberWire Daily - Doubling down on Cobalt Group activity. [Research Saturday]
Episode Date: November 17, 2018The NETSCOUT Arbor ASERT team has been tracking Cobalt Group campaigns targeting financial institutions. Richard Hummel is manager of threat intelligence with ASERT, and he joins us to share his team...'s findings. The research can be found here: https://asert.arbornetworks.com/double-the-infection-double-the-fun/ Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and
analysts tracking down threats and vulnerabilities and solving some of the hard problems of
protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface
with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers
by hiding your attack surface,
making apps and IPs invisible,
eliminating lateral movement,
connecting users only to specific apps,
not the entire network,
continuously verifying every request
based on identity and context,
simplifying security management
with AI-powered automation,
and detecting threats using AI
to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Initially, one of my analysts was sifting through some spam data and some campaigns that he was observing.
That's Richard Hummel. He's manager of threat intelligence with the Netscout Arbor ACERT team.
We're discussing their research on the Cobalt Group attacks.
The research is titled Double the Infection, Double the Fun.
Something stood out to him specifically around this activity in that he was looking at a particular phishing email
and found out that there were two different malicious URLs in the same body or content of that email.
And that struck him as unusual because typically you have a single malicious link or you have a malicious attachment
and then perhaps a single link as well.
But to have two different URLs pointing to two different potential payloads struck him as odd.
So he started doing a little bit of research.
And through a series of investigation, looking at the email address where the
spam phishing was coming from, he tracked it back to five or six different domains that
were being used.
And they all had a particular theme to them.
They were all financial services or payment processors. And to him, that definitely stood
out as, hey, maybe this is something a little bit more nefarious. Maybe there's a little bit
of sophistication and organization around this. So as he started digging through it,
and he started analyzing the payloads that those two URLs led to, it turns out that
they shared similarities with some malware
that Cobalt Group has used in the past. So that's kind of what kicked everything off for this
research. I see. So describe to us, what's the background? What do you know about Cobalt Group?
So we haven't been tracking them for a very long time, but they've been active since around 2016,
from what we can tell. And their primary goals is financial motivation.
So anything they can do to cash out, they've been known to do some ETM thefts. They've been
known to target SWIFT payment systems. There's some public reporting out there, I believe,
from Group IB that talked about individual SWIFT attacks costing upwards of $1.5 million per
incident. So we definitely know that their primary objective and their apparent motivation is to
target anybody that has some monetary assets they can then steal. How they do that, I think,
depends on what organization they get into. And at that point, maybe an opportunistic,
hey, we're into this organization, they're a bank, maybe we can compromise some accounts.
Hey, it's Swift, let's see if we can do an attack on a Swift network.
Maybe we get into a bank that has a bunch of ATMs worldwide. They get a bunch of users'
credentials, they get their payment cards, and then they organize this cash out operation.
So a lot of what we're seeing with this targeting is, we call it these two specific campaigns,
but based on the different domains that are registered by the parent owner,
it looks like there's more than just these two. And I think in a response to our blog, one of the analysts that have been working on this for a while, I think it is either Group IB or Talos, I forget which one, they had said that
since one of the actors associated with this cobalt group activity had been arrested,
they've seen 17 different organizations either targeted or masquerade as. So they're definitely
not sitting on their hands. An apparent arrest of a supposedly high-level operator didn't really do
a whole lot to diminish their activity. And in every instance, it seems like they're going after
financial institutions. There are a couple of instances where they may have masqueraded as
an antivirus like Kaspersky. But predominantly,
it seems like they're targeting various financial organizations in different regions,
even targeting in Russia, although these are suspected to be kind of a Russian origination
type group. So let's walk through what you discovered here. I mean, you have this initial
email that points to a couple of different payloads. So let's dig into it. Sure. So the
email itself, we've got two different payloads.
And what was notable about this is we're sort of looking at some of the recent Cobalt Group
activity.
And Talos had actually released something the week prior.
They were talking about these campaigns targeting new financial institutions, and they were
using CVEs in some malicious or weaponized documents.
When we first started looking at this activity, we hadn't seen any other public reporting
or any other security researchers reporting on this new wave of campaigns.
But when we got it, we weren't actually seeing the CVEs.
Instead, we saw this email that had a link to a JPEG file and then also to a document
that actually had a Visual Basic script in it that would require a user to enable that
content or scripts to run on their system and then detonate it. Both of these different methods
eventually leading to a JavaScript backdoor that we've analyzed. The email itself, or at least the
first one that we came across, appeared to target NS Bank in Russia. And it was coming from
something called Intercasa, which is actually
a payment platform. And so it's a vendor that they potentially use for their services.
It appeared somewhat legitimate. The content is tailored or seemed to be tailored towards
the financial organization. And the second campaign that we looked at came from our
recently partnered threat intel organization, 471 we asked them to look
into this activity to see if they had anything in parallel and they uncovered this other campaign
targeting a romanian bank i believe it's benka commerciala karpataka if i pronounce that
correctly used to be called patria bank but i believe in 2017 they merged so they're one in
the same now but it appeared that the second wave or second campaign was targeting this institution and was coming from something called SEPA Europe and talking
about different coverage areas and that they recently expanded. And if they wanted to know
more information to click on this link. That particular campaign was using the CVEs that
had been reported the week prior. So you see two different campaigns, three different methods,
one being a JPEG file that was actually a binary, the other being a malicious document that had a VBA script, and you also see CVEs.
So three parallel campaigns, three different types of payloads, three initial intrusion vectors.
So it's fairly interesting that there's all this happening, and especially having two different intrusion vectors in one single email was kind of notable to us. Through the process of getting installed, we have some graphics on the
site. Once detonation occurs, you have this document that then drops or launches the word
macro. From there, it reaches out to a specific C2 that the actor has registered to grab info.txt.
Masquerading as a text file, but in fact, it's actually a binary.
And then from there, it's actually going to use Windows built-in executables
in order to detonate itself,
whether that's to hide functionality or to avoid AV scanners.
But it uses some command.exe.
It uses some taskkill.exe applications to kill the processes.
And then it'll also use the command.exe applications to kill the processes.
And then it'll also use the command.exe to execute a document that's actually a decoy document. And then from there, it uses something called regserver32.exe, which is basically a Windows system tool to launch the actual file.
From there, it actually reaches out and downloads another text file.
And inside that text file is actually the JavaScript backdoor. And it uses yet another system tool in order to actually
detonate that. So you can see there's several different layers here. There's different execution
chains. And it appears that they're doing this to get around some things. In one particular
infection chain, they actually use the INF file, which depending on how you use it has been known
to get around Windows AppLocker. So we see a little bit of obfuscation there and a little bit
of anti-analysis built in. It's overwriting itself in RAM. Is that what's going on?
So the malware itself, I don't necessarily believe it's overwriting anything.
It definitely creates persistence. It installs itself into the registry.
But I don't necessarily think
that it's overriding a binary itself. What happens is when it's detonating this, you have two
different threads. One, you have the malicious activity that's occurring. But then you also have
a command.exe command that's sent over to open this arbitrary or benign Word document. So the
user is going to see whether it's a blank Word document, or maybe it does have information related to the particular spam message that was sent.
It could be decoy information. Maybe they copy and pasted it from the web.
But that's what the user is going to see. Meanwhile, in the background, you're going
to have a malicious activity occurring to actually initiate or execute this backdoor.
I see. And so once the backdoor has been installed, what sort of functionality does it have?
So primarily it's got a kind of a keep alive so it can beacon out to the C2. It has the ability
to download and execute additional binary files. It can download and update itself and then it can
do some type of deletion of itself as well as the registry entries that it creates.
And then it can execute new copies of itself if it came by some other method.
The last command actually seems to be plug and play.
There's a couple of different names for it.
In the particular sample that we had, it's called vi underscore x.
And that basically allows the attacker to remote in and to execute commands on the command line prompt.
Now, based on what you've been able to see with the phishing emails,
how targeted is this campaign?
One of the things that I was recently talking to with another journalist was the idea of this
group targeting. We know that they're targeting financial institutions, but are they singling
out this particular organization or these two particular organizations? I don't necessarily know that that's their end goal. Of all of the
campaigns they sent out, they're specifically targeting these two organizations. One of the
things that we hypothesize, and this is speculation at this point, but some of the information about
the different types of domains they have registered support this, as well as other security researchers
that have made comment,
is that they may have a whole list of financial institutions that they would love to get into.
Maybe they know of some way that they can exploit them or they can commit fraud or they know how to get monetary gain from these particular organizations. And so maybe they take this
whole list, they curate it and they say, okay, of this list of 100, maybe these 30,
this whole list, they curate it, and they say, okay, of this list of 100, maybe these 30,
we have a chance at getting into. Or maybe we have lists of employees' email addresses from XYZ organizations. So let's go ahead and start with this subset. And we'll do semi-crafted or
semi-targeted emails that look like they're coming from maybe potential partners or an
organization or entity that might have some type of dealing with a targeted organization. Then we put these emails together and we kind
of blast out to whoever we have in our list of people to target. And then whoever bites,
that's their hook. It could be that they don't necessarily know what they're going to do with
these organizations once they get in. Maybe they're just kind of a spray and pray and they
just target 50 different organizations. They hope two or three of them get compromised.
And then from there, they can figure out, okay, we just compromised a financial institution
that has ATMs, or maybe we have a banking network to go after, or maybe it is Swift
again.
Maybe they have point of sale and we want to pivot and do something a little bit different.
So I think at this point, it's like, get in, establish that foothold.
And that's kind of what we see with these two backdoors is they're very much establishing
their foothold. They don't have key loggers.
They don't necessarily have credential theft capabilities. They're basically, they get in,
they allow an attacker to remote and send arbitrary commands and then download additional
payloads. So what they're going to do after this point, we don't know. We haven't actually seen
a actual compromise or seen into a network that has this running. So we don't necessarily know what the attacker's endgame is or their particular purposes
for targeting these two organizations.
I see. Now, have you had any success with
polling the command and control servers or reaching out to see
what they may or may not respond to?
So when we were first analyzing this, there was definitely still some of them live.
And after several days of putting this together, I had my analysts go back and verify that a couple of them were live.
And while we can say that they're live, we weren't able to glean any additional information that isn't represented in the blog.
However, we did come across a new binary that we're still in the process of analyzing.
a new binary that we're still in the process of analyzing. And even in just the week or so,
since we started putting all this together, we've seen slight changes where it looks like they're paying attention to what other security researchers are saying. I told you before,
the week before ours came out, Talos had put something out about these new campaigns.
And my analysts started to see slight changes. And it's kind of hard to say if they were
indicative of the operators observing the security research and they realized that somebody figured out their TTPs.
It could be that they're just always in a state of evolution, as we see here with this phishing email having two different potential payloads.
It seems like they're kind of trying different things, seeing what works, what doesn't work.
Or maybe they're just adding a bunch of different methods into their toolkit with the hopes of having the most success.
Now, with the dual payloads, does that, in addition to increasing the odds of infection,
does that also, in the same way, increase the odds of it being detected?
You know, that's interesting because when you think about it, if a user is not going to click on one link, there's no reason to think that they would click on a second link.
So did they do it for redundancy? I don't know.
Did they do it in the hopes that maybe one URL makes it through some type of scanner or AV?
I don't know because if there's a malicious URL in an email, that whole email is typically blacklisted.
So I don't exactly know the reasoning behind having these two
different URLs. Maybe they put it together and they hyperlink the campaign and they didn't realize
they put one URL into one hyperlink and another URL into a different one. I mean, it could be as
simple as a mistake, but it was just interesting in this email because we don't typically see that
tactic. Yeah. Now, do you have any sense for how large a campaign this is? How many of these phishing emails have gone out?
We don't. We've only observed, well, in both of these campaigns, we only observed that one phishing email,
both of which are available in public resources like VirusTotal.
So it's definitely not like a secretive thing. It's not like we're capturing spam off the wire.
What we were looking at was something that was already captured.
It was already made public, but VirusT total actually had zero hits of malicious nature inside the
content of it. So those URLs that were being used were not being flagged as malicious.
So that further lended reasoning for us to look into this, because if they are malicious and they
do have payloads, then there should be something marking it as malicious.
And so in terms of organizations protecting themselves, what do you recommend?
Anytime I have this question, when we're talking about spam or any type of phishing,
the same answer comes out and that's user education. It's imperative for a user to know
what they're clicking on. If they're not expecting an email from somebody to verify where it's coming
from. One of the things that we do, our organization is anytime we get an email external to our mail
servers, it's tagged as
external email. So that should be the first indicator, the first flag that something is
coming from outside of our network. And I want to verify before I click on anything.
The same thing with the actual URLs themselves, just because it looks like it's www.google.com,
it could be a hyperlink to some other URL. So you want to ensure maybe you do a right-click and copy-paste
to see what that URL actually is.
A lot of times if you hover over that hyperlink,
you can actually see the real URL underneath.
When it comes to attachments,
in the case of one of those URLs downloading a malicious document,
the document required a user to enable content
if it wasn't already enabled,
which many organizations and enterprises by default
have that disabled for this particular reason. You don't want that to happen because it used to be
like macros and scripts were the predominant way that attackers were using for these phishing
campaigns. So there's a lot of group policies now where you can basically go and disable that.
Office 365 actually has a really good policy in that if there's a macro that comes from an
external source to your environment, disallow execution of scripts. So there's different things that all of these
different providers, these browsers, the mail providers are building in these tools to manage
it at a group level. I believe at this point, all the main browsers, Chrome, Internet Explorer,
and Firefox all have the capability to disallow scripts from executing, as well as visiting suspect sites. So there's a number of different things you can do,
but I think a lot of it boils down to individuals within an organization recognizing something
that's potentially phishing when it comes into their inbox.
Our thanks to Richard Hummel for joining us. He's from Netscout's ACERT team.
The research is titled Double the Infection, Double the Fun.
We'll have a link in the show notes.
And now a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe,
where they're co-building the next generation of cybersecurity teams and technologies.
Our amazing Cyber Wire team is Elliot Peltzman, Puru Prakash, Stefan Vaziri, Kelsey Bond, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe, Chris Russell, John Petrick, Jennifer Iben,
Rick Howard, Peter Kilby, and I'm Dave Bittner. Thanks for listening.