Cobalt Group

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims. [1] [2] [3] [4] [5] [6] [7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak. [8]

ID: G0080
Version: 1.1

Associated Group Descriptions

NameDescription
Cobalt Gang[1] [11][9]
Cobalt Spider[11]

Techniques Used

DomainIDNameUse
EnterpriseT1088Bypass User Account ControlCobalt Group has bypassed UAC.[4]
EnterpriseT1191CMSTPCobalt Group has used the command cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt to bypass AppLocker and launch a malicious script.[1][9][10]
EnterpriseT1059Command-Line InterfaceCobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.[9]
EnterpriseT1173Dynamic Data ExchangeCobalt Group has sent malicious Word OLE compound documents to victims.[1]
EnterpriseT1203Exploitation for Client ExecutionCobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, CVE-2017-0199, and CVE-2017-8759.[1][2][3][5][6][7][11][12]
EnterpriseT1068Exploitation for Privilege EscalationCobalt Group has used exploits to increase their levels of rights and privileges.[4]
EnterpriseT1107File DeletionCobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.[1]
EnterpriseT1037Logon ScriptsCobalt Group has added persistence by registering the file name for the next stage malware under UserInitMprLogonScript.[9]
EnterpriseT1046Network Service ScanningCobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.[2][3][4]
EnterpriseT1050New ServiceCobalt Group has created new services to establish persistence.[4]
EnterpriseT1027Obfuscated Files or InformationCobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.[1][9]
EnterpriseT1086PowerShellCobalt Group has used powershell.exe to download and execute scripts.[1][2][3][4][7][12]
EnterpriseT1055Process InjectionCobalt Group has injected code into trusted processes.[4]
EnterpriseT1108Redundant AccessCobalt Group has used TeamViewer to preserve remote access in case control using the Cobalt Strike module was lost.[4]
EnterpriseT1060Registry Run Keys / Startup FolderCobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.[4]
EnterpriseT1117Regsvr32Cobalt Group has used regsvr32.exe to execute scripts.[1][9][12]
EnterpriseT1219Remote Access ToolsCobalt Group used the Ammyy Admin tool as well as TeamViewer for remote access.[2][3][4]
EnterpriseT1076Remote Desktop ProtocolCobalt Group has used Remote Desktop Protocol to conduct lateral movement.[4]
EnterpriseT1105Remote File CopyCobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers. The group's JavaScript backdoor is also capable of downloading files.[2][3][9]
EnterpriseT1053Scheduled TaskCobalt Group has created Windows tasks to establish persistence.[4]
EnterpriseT1064ScriptingCobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution and executed JavaScript scriptlets on the victim's machine. The group has also used an exploit toolkit known as Threadkit that launches .bat files.[1][2][4][9][10][12]
EnterpriseT1063Security Software DiscoveryCobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.[9]
EnterpriseT1218Signed Binary Proxy ExecutionCobalt Group has used odbcconf to proxy the execution of malicious DLL files.[12]
EnterpriseT1193Spearphishing AttachmentCobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.[1][2][3][4][5][6][10][12]
EnterpriseT1192Spearphishing LinkCobalt Group has sent emails with URLs pointing to malicious documents.[1]
EnterpriseT1071Standard Application Layer ProtocolCobalt Group has used HTTPS and DNS tunneling for C2. The group has also used the Plink utility to create SSH tunnels.[1][3][4]
EnterpriseT1032Standard Cryptographic ProtocolCobalt Group has used the Plink utility to create SSH tunnels.[4]
EnterpriseT1204User ExecutionCobalt Group has sent emails containing malicious attachments or links that require users to execute a file or macro to infect the victim machine.][1][10]
EnterpriseT1220XSL Script ProcessingCobalt Group used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file.[1]

Software

IDNameReferencesTechniques
S0154Cobalt Strike[1][2][4][5][6][7][11][12]Access Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Distributed Component Object Model, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0002Mimikatz[2][3][4]Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0284More_eggs[1]File Deletion, Remote File Copy, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0029PsExec[2][4]Service Execution, Windows Admin Shares
S0195SDelete[3]Code Signing, Data Destruction, File Deletion

References