Cobalt Group - Behind Global Bank Hacking Spree - Launched New Attacks

A ferocious group of hackers who target the financial organisations and seem to be the cyber attacks perpetrator against the ATM systems and SWIFT banking network, with their newly launched campaign has targeted employees of two separate banks - one in Russia and second in Eastern Europe.

In their new campaign, the cybercrime gang, called Cobalt Group, has been found targeting two banks Banca Comerciala Carpatica/Patria Bank in Romania and NS Bank in Russia. The Cobalt Group is suspected to have attacked banks in over 40 countries. It is presumed that the forgery has fetched them around €10 million per attack. Netscout Arbor has uncovered that the recent campaign has started in mid-August.

NETSCOUT's ASERT team, on August 13, found that the Cobalt Group has launched a new campaign of spear-phishing with a motive to target the systems of financial organisations by sending them spear-phishing emails.

While targeting both the banks, the phishing emails sent were disguised to have come from bank partners or their financial vendor. The emails sent by the hacking group used tools which bypassed all Windows defenses.

"In at least one of the campaigns the attackers crafted an email that appeared to come from SEPA Europe (Single Euro Payments Area) with information about expanded coverage", as told to ZDNet by Threat Intelligence Manager at Netscout, Richard Hummel. "The recipient of the email was encouraged to click on an embedded link to find more information pertaining to the expanded coverage area".

The phishing emails were contained with two malicious links, which when clicked infected the systems. The infected links were of two types: one, a malicious Word doc. that contained obfuscated VBA scripts, and second, was a binary with .jpg extension.

The investigative researchers when analysed the binaries, found that they were contained with links to C&C (Command and Control) servers that are assumed to be owned as well as operated by Cobalt hacking group. Additionally, the researchers noted that the malware which was used as a part of campaign had a massive resemblance to Coblnt - the backdoor that was used in the previous Cobalt campaigns.

As the newly launched Cobalt campaign is believed to be still active, the researchers have warned that other banks may get targeted by a similar kind of attack.

» SPAMfighter News - 9/7/2018