Cyber Incident Victim: Banca Comercială Carpatica SA
Date:
Aug 2018
Location:
Romania
Summary
A financially motivated threat actor known as Cobalt Group targeted a Romanian financial institution through a spear-phishing campaign masquerading as trusted financial partners. The attack involved emails containing malicious URLs that delivered weaponized documents and disguised binaries, leading to the deployment of JavaScript backdoors and reconnaissance malware. These tools established persistence via registry keys, utilized encrypted communication channels, and connected to command-and-control infrastructure associated with the group. The malware functionality aligned with previous campaigns linked to the actor, which historically focused on financial theft and ATM compromise.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On August 13, 2018, the financially motivated threat group Cobalt Group (also tracked as TEMP.Metastrike) initiated a campaign targeting financial institutions in Eastern Europe and Russia, including Romania’s Banca Comercială Carpatica (later rebranded as Patria Bank). The attackers employed spear phishing emails masquerading as communications from trusted financial vendors or partners to increase credibility. These emails contained malicious URLs directing recipients to two primary payloads: a weaponized Microsoft Word document embedded with obfuscated VBA scripts and a binary file disguised with a .jpg extension. The Word document leveraged cmstp.exe (a legitimate Microsoft utility) via an INF file to download and execute a JavaScript-based backdoor identified as "more_eggs." The second URL delivered an executable file that unpacked in memory upon execution, establishing communication with a command-and-control (C2) server. The campaign specifically targeted Banca Comercială Carpatica and Russia’s NS Bank, aligning with Cobalt Group’s historical focus on financial entities and SWIFT-related attacks.
Analysis of the malware revealed consistent tradecraft with prior Cobalt Group operations. The JavaScript backdoor utilized registry keys for persistence, executed via regsvr32.exe, and encrypted exfiltrated data using RC4. A second payload, identified as CobInt or COOLPANTS, functioned as a reconnaissance backdoor connecting to C2 infrastructure including the domain rietumu[.]me. Phishing lures impersonated payment platforms such as Interkassa to deliver these malicious components. Infrastructure tied to the campaign included domains aplstore[.]info and rietumu[.]me, both previously associated with Cobalt Group activities. While the article did not specify financial losses or operational disruptions at Banca Comercială Carpatica, the group’s prior attacks on SWIFT systems had caused millions in damages elsewhere. The incident underscored the group’s continued evolution in bypassing Windows defenses and leveraging social engineering to compromise financial networks.