Cyber Incident Victim: NS Bank
Date:
Aug 2018
Location:
Russia
Summary
The financially-motivated Cobalt Group targeted NS Bank and other Eastern European financial institutions through spear phishing campaigns impersonating trusted financial partners, delivering malicious documents and binaries. Attackers utilized weaponized Word documents with obfuscated scripts and executables disguised as image files to deploy reconnaissance backdoors like CobInt/COOLPANTS and JavaScript payloads such as 'more_eggs', establishing persistence via registry keys and leveraging encrypted C2 communications. These tools bypassed Windows defenses to enable unauthorized system access and data exfiltration, with infrastructure including domains like rietumu[.]me linked to previous Cobalt Group operations targeting financial networks.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 13, 2018, the financially motivated Cobalt Group (also tracked as TEMP.Metastrike) initiated a spear phishing campaign targeting financial institutions in Eastern Europe and Russia, including Russia’s NS Bank and Romania’s Banca Comercialá Carpatica (Patria Bank). The attackers impersonated trusted financial vendors or partners in phishing emails to increase credibility. These emails contained malicious URLs distributing two primary payloads: a weaponized Microsoft Word document with obfuscated VBA macros and a binary file disguised with a .jpg extension. The Word document leveraged an embedded INF file to execute cmstp.exe, a legitimate Microsoft tool, which then downloaded and deployed a JavaScript-based backdoor named "more_eggs." The second payload, an executable masquerading as a JPEG image, unzipped itself in memory upon execution and established communication with a command-and-control (C2) server. Both payloads exhibited infrastructure overlaps with prior Cobalt Group operations, including connections to domains like rietumu[.]me and aplstore[.]info.
The malware deployed in this campaign shared functional similarities with earlier Cobalt Group tools. The JavaScript backdoor used Windows registry keys for persistence, executed via regsvr32.exe, and encrypted exfiltrated data using the RC4 algorithm. A second payload, identified as CobInt or COOLPANTS, acted as a reconnaissance backdoor, collecting system information and relaying it to the same C2 infrastructure. The phishing lures mimicked legitimate payment systems such as Interkassa to deceive targets. While the article did not specify the exact financial impact on NS Bank, the group’s historical attacks on SWIFT banking systems had previously caused millions in damages. ASERT researchers attributed the campaign to Cobalt Group based on infrastructure reuse, malware code overlap, and targeting patterns consistent with the group’s focus on financial sector exploitation since at least 2016. The attack leveraged tools capable of bypassing Windows defenses, though specific vulnerabilities or detection evasion techniques were not detailed in the source material.