Cyber Incident Victim: TEMP.Metastrike
Date:
Aug 2018
Location:
Russia
Summary
The financially-motivated TEMP.Metastrike group targets financial organizations through spear phishing campaigns masquerading as trusted financial partners or vendors, primarily focusing on institutions in eastern Europe and Russia. Their attacks deliver weaponized documents and binaries, including obfuscated VBA scripts, JavaScript backdoors leveraging registry persistence and RC4-encrypted traffic, and reconnaissance malware like CobInt/COOLPANTS connecting to C2 infrastructure such as rietumu[.]me. The group has compromised entities including a Russian bank and a Romanian financial institution, deploying tools designed to bypass Windows defenses and enabling ATM malware operations alongside attacks on banking payment systems that have resulted in significant financial losses.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The financially motivated threat group known as TEMP.Metastrike (also identified as Cobalt Group) conducted a spear phishing campaign targeting financial institutions in Eastern Europe and Russia, first observed by researchers on August 13, 2018. This group, active since at least late 2016, historically targeted banks and financial organizations with ATM malware and attacks on the SWIFT banking system, causing millions in damages. The August 2018 campaign utilized emails masquerading as communications from legitimate financial vendors or partners to increase credibility. Specific phishing targets included NS Bank in Russia and Banca Comercialá Carpatica/Patria Bank in Romania. Attack emails contained malicious URLs distributing two primary payloads: a weaponized Microsoft Word document with obfuscated VBA macros and a binary file disguised with a .jpg extension. The Word document executed an INF file that launched cmstp.exe to deploy a JavaScript backdoor named "more_eggs," while the fake JPEG file unzipped malicious content directly in memory before establishing command-and-control connectivity.
The malware employed in this campaign shared technical overlaps with previous TEMP.Metastrike operations. The JavaScript backdoor used Windows registry keys for persistence, executed via regsvr32.exe, and encrypted exfiltrated data using the RC4 algorithm. A separate reconnaissance backdoor, identified as CobInt or COOLPANTS, exhibited functionality consistent with earlier samples attributed to the group. Both components communicated with dedicated command-and-control infrastructure, including the domain rietumu[.]me and an IP-based server. Additional infrastructure domains like aplstore[.]info were linked to the campaign. Phishing lures impersonated payment platforms such as Interkassa to deliver these payloads. The group exploited Windows defense bypass techniques, though specific vulnerabilities were not detailed in reporting. Financial losses from prior SWIFT system attacks were noted, but direct financial impacts from this specific campaign remained unquantified in available sources. Security researchers documented the infrastructure and tools to facilitate detection but did not describe victim containment or remediation actions.