Home Malware Programs Malware Cobalt Group

Cobalt Group

Posted: October 23, 2019

The Cobalt Group is an Advanced Persistent Threat (APT) group that specializes in financially motivated attacks against high-profile targets in Southeast Asia, Central Asia and Eastern Europe. The targets of their attacks are often banks and other financial institutions, and the threat actors are known for executing long-lasting attacks that aim to compromise various computers slowly to gain access to critical infrastructure. Apart from targeting bank clients by compromising the bank's network, they also have targeted Automated Teller Machines (ATMs), as well as networks used for online payments and credit card processing.

The Cobalt Strike Penetration Testing Tool is a Prime Part of the Cobalt Group's Operations

One of the notorious hacking tools used by the group is the Cobalt Strike, hence the name of the threat actor. The Cobalt Strike tool is notorious for its ability to operate in a fileless mode – all of its modules are loaded in the Random Access Memory (RAM) and run from there. This reduces the footprint that the group's activity leaves behind and also helps avoid anti-virus engines and other malware detection tools. Cobalt Strike is an all-in-one tool that packs the abilities to log keystrokes, provide remote access, bypass Windows' User Account Control (UAC), launch the Mimikatz credential collector, and scan the network for other vulnerable systems. It is important to mention that the Cobalt Strike is a public penetration-testing tool that can be purchased by anyone, but this particular group appears to make the most out of its features.

The Cobalt Group hackers take advantage of other publicly available tools apart from Mimikatz and the Cobalt Strike – they also rely on the Windows built-in Remote Desktop Protocol (RDP), the PsExec utility, TeamViewer, SoftPerfect Network Scanner and Plink. Organizations can protect their networks from the Cobalt Group by implementing the necessary measures to prevent unauthorized copies of these programs from running on their computers. In the cases where the Cobalt Group is using this tool, it may be referred to as the Cobalt Trojan.

Bogus Email Attachments Deliver a Threatening Payload to the APT Group's Targets

The favorite infection vector of the group involves the use of advanced social engineering techniques – they use spear-phishing emails to bring their payload to the attention of their targets almost exclusively. The group uses tailored email messages that either contains a bogus file attachment or refer users to a malicious file hosted on a 3rd-party data hosting provider.

The Cobalt Group might be one of the slowest acting Advanced Persistent Threat groups because they always attempt to reach critical infrastructure that should not be accessible. Once they infiltrate one of the organization's computers, they begin searching for credentials, services, vulnerabilities, and open networks that can be exploited – researchers estimate that the attackers usually need at least two weeks to make their way from the first infected host to their end-goal.

Loading...