Friday, September 13, 2024
HomeMalwareFinancially Motivated Hackers Group "Cobalt" Now Attack Banks by Launching Weaponized Word...

Financially Motivated Hackers Group “Cobalt” Now Attack Banks by Launching Weaponized Word Document

Published on

Security researchers uncovered a new attack targeting the financial institution such as banks in Kazakhstan, and the attack believed to be initiated by one of the Financially motivated cyber-crime gang “Cobalt”.

Cobalt group actively targeting victims in various countries since at least 2016, they particularly focus on the bank’s network to compromise the internal components such as ATM and card processing system.

Also, researchers believe that this gang was ultimately responsible for  SWIFT banking system attack that causes million dollar damage.

- Advertisement - EHA

In order to compromise the company or bank sectors, they are sending malicious emails that look like a legitimate one from other trusted partners.

Threat actors from this group building a tailored document to masquerade as a legitimate one with a valid certificate and planed well before executing the attack to evade the detection.

Even though Europol arrested the Cobalt group leader in 2018, the group remains active until today and still targeting the victims around the globe.

In this current attack, researchers found enough evidence that related to the Cobalt group, including a large number of similar Cobalt Strike loaders in this campaign that they used for some previous attacks.

Infection process

Threat actors hosting a weaponized document on the promotion website of Kassa Nova Bank (https://kassanova[.]kz/files/docs/T47188445.doc) and the website claimed financial products and services to the public and small enterprises in Kazakhstan.

Once it’s launched into the targeted system and opened by a victim, the content of document tricks the user to enable the malicious Macro and the Document_Open macro function is automatically triggered once the user presses the “Enable Macros” button.

If it’s enabled, a multistage Infection chain that eventually downloads and executes a Cobalt Strike beacon to proceed with the further infection process.

Cobalt attack infection chain

Threat actors heavily obfuscate the codes used for the malware and it drops the executable payload “file.exe”  which is signed by Sectigo.

Later the executable communicate with its C&C server to download and decrypt a Cobalt Strike beacon. 

According to Checkpoint Research ” Surprisingly, this communication resembles legitimate requests made when viewing the Office 365 Outlook calendar. Looking up the unique request header led us to a GitHub project called “Malleable C2 Profiles”, which offers a variety of “profiles” that mimic the communication patterns of legitimate services, known malware families or even APT groups. “

Cobalt group is known to be mainly attacked in Eastern Europe and Central Asia, and as it turns out, this is the second time that Kassa Nova bank was involved in a Cobalt Group related attack: During December 2018, a malicious attachment was sent from the e-mail address belonging to one of the bank’s employees, Checkpoint said.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT

A recent advanced malware campaign leverages a phishing attack to deliver a seemingly benign...

Hackers Exploiting Apache OFBiz RCE Vulnerability in the Wild

A critical vulnerability in the Apache OFBiz framework has been actively exploited by hackers....

Docker Desktop Vulnerabilities Let Attackers Execute Remote Code

Docker has addressed critical vulnerabilities in Docker Desktop that could allow attackers to execute...

Fortinet Confirms Data Breach Following Hacker’s Claim of 440GB Data Theft

Fortinet, a leading cybersecurity firm, has confirmed a data breach involving a third-party cloud...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

New Loki Backdoor Attacking macOS Systems

Cody Thomas developed Apfell, an open-source macOS post-exploitation framework, in 2018 and evolved into...

Threat Actors Using New Malware Toolkit That Involves IIS Backdoor, DNS Tunneling

The Iranian threat actor APT34, also known as GreenBug, has recently launched a new...

Beware Of Malicious Chrome Extension That Delivers Weaponized ZIP Archive

In August 2024, researchers detected a malicious Google Chrome browser infection that led to...