Cyber Incident Victim: Cobalt Group
Date:
Aug 2018
Location:
Russia
Summary
The financially motivated Cobalt Group, also known as TEMP.Metastrike, conducted spear phishing campaigns targeting financial institutions in Eastern Europe and Russia, masquerading as trusted financial partners or vendors to deliver malware. Attacks involved weaponized documents and binaries deploying reconnaissance backdoors like CobInt/COOLPANTS and JavaScript payloads such as 'more_eggs,' which established persistence via registry keys, leveraged RC4 encryption, and communicated with command-and-control infrastructure including rietumu[.]me. These tools bypassed Windows defenses to compromise systems, enabling ATM fraud and SWIFT network breaches that resulted in significant financial losses for affected organizations.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The financially motivated threat actor known as Cobalt Group (also tracked as TEMP.Metastrike) initiated a new campaign observed by researchers on August 13, 2018, targeting financial institutions primarily in eastern Europe and Russia. This group, active since at least late 2016, had previously been linked to attacks against dozens of countries, with a focus on financial organizations including ATM malware deployments and intrusions against the SWIFT banking system that caused millions in damages. The August campaign employed spear phishing emails crafted to appear as legitimate communications from financial vendors or partners, leveraging social engineering to increase infection likelihood. Specific phishing targets identified included Russia’s NS Bank and Romania’s Banca Comercialá Carpatica/Patria Bank. The emails contained malicious URLs distributing two primary payloads: a weaponized Microsoft Word document embedding obfuscated VBA scripts and a binary file disguised with a .jpg extension. Analysis confirmed these binaries communicated with two distinct command-and-control (C2) servers attributed to Cobalt Group infrastructure.
The malicious Word document executed an attack chain involving cmstp.exe loading a malicious INF file, which subsequently downloaded a JavaScript backdoor dubbed "more_eggs." This backdoor exhibited functional overlaps with prior Cobalt Group malware, including registry key persistence mechanisms, execution via regsvr32.exe, and RC4 encryption for C2 traffic. The second payload, an executable masquerading as a JPEG file, deployed an in-memory unpacking routine to establish connections to IP-based C2 infrastructure. Additional malware samples included CobInt/COOLPANTS, a reconnaissance backdoor with capabilities consistent with earlier Cobalt Group tools, which communicated with domains such as rietumu[.]me. Phishing lures impersonated payment platforms like Interkassa to enhance credibility. Infrastructure tied to the campaign included domains aplstore[.]info and rietumu[.]me, alongside IP-based C2 servers. While the full financial impact of this specific campaign remains unquantified in available reporting, Cobalt Group’s historical operations against SWIFT systems resulted in multimillion-dollar losses for prior victims.