SpicyOmelette

SpicyOmelette is a backdoor Trojan that is in deployment against entities in the financial sector. Like other backdoor Trojans, SpicyOmelette grants its remote administrators a degree of access to system information and control over the computer, including enabling the installation of other threats. Employees using Internet-connected systems should have anti-malware products available for uninstalling SpicyOmelette and analyze any incoming e-mail attachments with particular care.

Privacy Invasion is for What's for Breakfast

Even though the apparent leader of the threat actors' group known as 'Cobalt,' who's responsible for the ATM-targeting Carbanak campaign, has been in jail since March of 2018, the rest of the organization of criminals has yet to slow the pace of their work. Continuing investigation by the cyber-security industry is pinpointing a new campaign from these criminals, which uses a modus operandi similar to that of Carbanak. Although malware experts only can confirm attacks using SpicyOmelette against financial sector-based businesses, this backdoor Trojan contains a payload that's suitable for compromising a range of Windows environments.

Instead of using manual, brute-force or RDP-related tactics, SpicyOmelette is installing itself through exploiting harvested e-mail addresses and hiding as an attachment. The employee opens a file that's a disguised Trojan dropper for SpicyOmelette, with several layers of identity obfuscation. The attack includes redirecting the victim to a compromised Amazon Web Services domain, using a hijacked, formerly-legitimate digital certificate, and dropping multiple files, including a valid Microsoft utility, along with the fake TXT (Notepad text) file for SpicyOmelette.

Beyond these false leads, malware analysts find few unusual characteristics in the SpicyOmelette's payload, which adheres to the expected norms for any backdoor Trojan that attacks banks, ATM networks, and similar financial organizations. Examples of some of its main features include:

• SpicyOmelette can upload general system statistics to the threat actor's C&C server for assisting with configuring future attacks. SpicyOmelette transfers the IP address, as well as a complete list of any running software.
• SpicyOmelette may, like many backdoor Trojans, also operate as a Trojan downloader by downloading and installing other threats. Usually, these secondary payloads will consist of more specialized software than SpicyOmelette, such as spyware that's specific to exfiltrating data from ATM networks.
• SpicyOmelette also includes some specifically anti-anti-virus features that target just under thirty types of popular AV products for disabling.

Soothing the Burn of Cobalt's SpicyOmelette Campaign

Until the rest of the Cobalt APT (or Advanced Persistent Threat) group is behind bars, SpicyOmelette will be an ongoing hazard for most companies who are operating in the financial sector. Although targeted e-mail messages are the predominant exposure method to SpicyOmelette, malware experts can't rule out other attack techniques, such as RDP and brute-force attempts at compromising networks. Employees should keep themselves informed on all relevant e-mail tactics, such as fake invoices and other documents that can include subject lines or bodies with target-specific content.

The additional layers of identity concealment in SpicyOmelette's delivery methods also makes it relevant for any victims to keep the databases of their anti-malware tools up-to-date particularly. The certificate that SpicyOmelette uses for hiding its dropping mechanism hasn't seen a revocation, and malware experts' last reports classify the AWS website as being live. Besides its being JavaScript-based, SpicyOmelette doesn't have many dependencies. Users should delegate uninstalling SpicyOmelette to a dedicated anti-malware program if it's available for the device in question.

While Europol continues playing catch-up to Cobalt, SpicyOmelette is evidence of the daily requirement for having good e-mail security practices. However, even if the rest of Cobalt follows the fate of its leader, other backdoor Trojans will be sure of taking up SpicyOmelette's mantle.