Cyber Incident Victim: Patria Bank
Date:
Aug 2018
Location:
Romania
Summary
Patria Bank in Romania was targeted alongside a Russian financial institution in a spear-phishing campaign by the financially motivated Cobalt Group (TEMP.Metastrike), which posed as trusted financial partners to deliver malware. The attackers distributed weaponized Word documents containing obfuscated VBA scripts and binaries disguised as image files, deploying JavaScript backdoors and CobInt/COOLPANTS reconnaissance tools that established persistence via registry keys, leveraged regsvr32.exe for execution, and communicated with command-and-control infrastructure like rietumu[.]me using RC4-encrypted traffic. The group, historically linked to SWIFT system breaches and ATM malware operations, employed techniques to bypass Windows defenses, aiming to compromise financial networks for monetary gain.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 13, 2018, ASERT observed the financially motivated Cobalt Group (also tracked as TEMP.Metastrike) initiating a campaign targeting financial institutions in Eastern Europe and Russia, including Romania’s Banca Comercialá Carpatica / Patria Bank. The attackers employed spear phishing emails masquerading as communications from trusted financial vendors or partners to increase credibility. Two malicious URLs were embedded within these emails: one delivered a weaponized Microsoft Word document containing obfuscated VBA scripts, while the other distributed a binary file disguised with a .jpg extension. The Word document executed an INF file via cmstp.exe, a legitimate Microsoft utility, to download and deploy a JavaScript-based backdoor known as "more_eggs." The binary, when executed, unpacked itself in memory and established communication with a command-and-control (C2) server linked to the Cobalt Group. This infrastructure included domains such as rietumu[.]me and aplstore[.]info, which had been previously associated with the group’s operations.
The malware deployed in this campaign exhibited functionality consistent with earlier Cobalt Group tools. The JavaScript backdoor used registry keys for persistence, executed via regsvr32.exe, and encrypted exfiltrated data using the RC4 algorithm. A second payload, identified as CobInt or COOLPANTS, acted as a reconnaissance backdoor, collecting system information and facilitating further attacker access. Phishing lures mimicked legitimate payment platforms like Interkassa to deceive targets. While the exact financial impact on Patria Bank was not quantified in available reporting, the group’s historical attacks on SWIFT banking networks had previously caused millions in losses. ASERT documented the campaign’s infrastructure and tactics, including the use of IP-based C2 servers and samples matching the group’s known toolset. The incident underscored the group’s continued focus on financial sector intrusion through socially engineered email compromises and evasion of Windows security mechanisms.