Cobalt Group

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims. [1] [2] [3] [4] [5] [6] [7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak. [8]

ID: G0080
Associated Groups: Cobalt Gang, Cobalt Spider
Version: 1.3
Created: 17 October 2018
Last Modified: 26 April 2021

Associated Group Descriptions

Name Description
Cobalt Gang

[1] [9][10]

Cobalt Spider

[9]

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Cobalt Group has bypassed UAC.[4]

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Cobalt Group has used HTTPS for C2.[1][3][4]

.004 Application Layer Protocol: DNS

Cobalt Group has used DNS tunneling for C2.[1][3][4]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.[4]

Enterprise T1037 .001 Boot or Logon Initialization Scripts: Logon Script (Windows)

Cobalt Group has added persistence by registering the file name for the next stage malware under HKCU\Environment\UserInitMprLogonScript.[10]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Cobalt Group has used powershell.exe to download and execute scripts.[1][2][3][4][7][11]

.003 Command and Scripting Interpreter: Windows Command Shell

Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.[10] The group has used an exploit toolkit known as Threadkit that launches .bat files.[1][2][4][10][12][11]

.005 Command and Scripting Interpreter: Visual Basic

Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.[1][2][4][10][12][11]

.007 Command and Scripting Interpreter: JavaScript

Cobalt Group has executed JavaScript scriptlets on the victim's machine.[1][2][4][10][12][11]

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Cobalt Group has created new services to establish persistence.[4]

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Cobalt Group has used the Plink utility to create SSH tunnels.[4]

Enterprise T1203 Exploitation for Client Execution

Cobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, CVE-2017-0199, and CVE-2017-8759.[1][2][3][5][6][7][9][11]

Enterprise T1068 Exploitation for Privilege Escalation

Cobalt Group has used exploits to increase their levels of rights and privileges.[4]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

Cobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.[1]

Enterprise T1105 Ingress Tool Transfer

Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.[2][3] The group's JavaScript backdoor is also capable of downloading files.[10]

Enterprise T1559 .002 Inter-Process Communication: Dynamic Data Exchange

Cobalt Group has sent malicious Word OLE compound documents to victims.[1]

Enterprise T1046 Network Service Scanning

Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.[2][3][4]

Enterprise T1027 Obfuscated Files or Information

Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.[1][10]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.[1][2][3][4][5][6][12][11]

.002 Phishing: Spearphishing Link

Cobalt Group has sent emails with URLs pointing to malicious documents.[1]

Enterprise T1055 Process Injection

Cobalt Group has injected code into trusted processes.[4]

Enterprise T1572 Protocol Tunneling

Cobalt Group has used the Plink utility to create SSH tunnels.[1][3][4]

Enterprise T1219 Remote Access Software

Cobalt Group used the Ammyy Admin tool as well as TeamViewer for remote access, including to preserve remote access if a Cobalt Strike module was lost.[2][3][4]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Cobalt Group has used Remote Desktop Protocol to conduct lateral movement.[4]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Cobalt Group has created Windows tasks to establish persistence.[4]

Enterprise T1218 .003 Signed Binary Proxy Execution: CMSTP

Cobalt Group has used the command cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt to bypass AppLocker and launch a malicious script.[1][10][12]

.008 Signed Binary Proxy Execution: Odbcconf

Cobalt Group has used odbcconf to proxy the execution of malicious DLL files.[11]

.010 Signed Binary Proxy Execution: Regsvr32

Cobalt Group has used regsvr32.exe to execute scripts.[1][10][11]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine.[10]

Enterprise T1195 .002 Supply Chain Compromise: Compromise Software Supply Chain

Cobalt Group has compromised legitimate web browser updates to deliver a backdoor. [13]

Enterprise T1204 .001 User Execution: Malicious Link

Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.[1][12]

.002 User Execution: Malicious File

Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine.[1][12]

Enterprise T1220 XSL Script Processing

Cobalt Group used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file.[1]

Software

ID Name References Techniques
S0154 Cobalt Strike [1][2][4][5] [6][7][9][11] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Access Token Manipulation: Parent PID Spoofing, Access Token Manipulation: Make and Impersonate Token, Account Discovery: Domain Account, Application Layer Protocol, Application Layer Protocol: DNS, Application Layer Protocol: Web Protocols, BITS Jobs, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: JavaScript, Commonly Used Port, Create or Modify System Process: Windows Service, Data from Local System, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Encrypted Channel: Asymmetric Cryptography, Exploitation for Client Execution, Exploitation for Privilege Escalation, Impair Defenses: Disable or Modify Tools, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Keylogging, Man in the Browser, Modify Registry, Multiband Communication, Native API, Network Service Scanning, Network Share Discovery, Non-Application Layer Protocol, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, Office Application Startup: Office Template Macros, OS Credential Dumping: Security Account Manager, Process Discovery, Process Injection, Process Injection: Process Hollowing, Process Injection: Dynamic-link Library Injection, Protocol Tunneling, Proxy: Internal Proxy, Query Registry, Remote Services: SMB/Windows Admin Shares, Remote Services: Windows Remote Management, Remote Services: SSH, Remote Services: Remote Desktop Protocol, Remote Services: Distributed Component Object Model, Remote System Discovery, Scheduled Transfer, Screen Capture, Subvert Trust Controls: Code Signing, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Use Alternate Authentication Material: Pass the Hash, Valid Accounts: Local Accounts, Valid Accounts: Domain Accounts, Windows Management Instrumentation
S0002 Mimikatz [2][3][4] Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket
S0284 More_eggs [1][13] Application Layer Protocol: Web Protocols, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Deobfuscate/Decode Files or Information, Encrypted Channel: Symmetric Cryptography, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Signed Binary Proxy Execution: Regsvr32, Software Discovery: Security Software Discovery, Subvert Trust Controls: Code Signing, System Information Discovery, System Network Configuration Discovery, System Network Configuration Discovery: Internet Connection Discovery, System Owner/User Discovery
S0029 PsExec [2][4] Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0195 SDelete [3] Data Destruction, Indicator Removal on Host: File Deletion

References