Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Cobalt Group

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims. [1] [2] [3] [4] [5] [6] [7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak. [8]

ID: G0080
Aliases: Cobalt Group, Cobalt Gang, Cobalt Spider
Version: 1.0

Alias Descriptions

NameDescription
Cobalt Group[1] [2] [3] [5] [6] [7]
Cobalt Gang[1] [9]
Cobalt Spider[9]

Techniques Used

DomainIDNameUse
EnterpriseT1088Bypass User Account ControlCobalt Group has bypassed UAC.[4]
EnterpriseT1191CMSTPCobalt Group has used the command cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt to bypass AppLocker and launch a malicious script.[1]
EnterpriseT1173Dynamic Data ExchangeCobalt Group has sent malicious Word OLE compound documents to victims.[1]
EnterpriseT1203Exploitation for Client ExecutionCobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-2017-8570, and CVE-2017-0199.[1][2][3][5][6][7][9]
EnterpriseT1068Exploitation for Privilege EscalationCobalt Group has used exploits to increase their levels of rights and privileges.[4]
EnterpriseT1107File DeletionCobalt Group deleted the DLL dropper from the victim’s machine to cover their tracks.[1]
EnterpriseT1046Network Service ScanningCobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning.[2][3][4]
EnterpriseT1050New ServiceCobalt Group has created new services to establish persistence.[4]
EnterpriseT1027Obfuscated Files or InformationCobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR.[1]
EnterpriseT1086PowerShellCobalt Group has used powershell.exe to download and execute scripts.[1][2][3][4][7]
EnterpriseT1055Process InjectionCobalt Group has injected code into trusted processes.[4]
EnterpriseT1108Redundant AccessCobalt Group has used TeamViewer to preserve remote access in case control using the Cobalt Strike module was lost.[4]
EnterpriseT1060Registry Run Keys / Startup FolderCobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.[4]
EnterpriseT1117Regsvr32Cobalt Group used regsvr32.exe to execute scripts.[1]
EnterpriseT1219Remote Access ToolsCobalt Group used the Ammyy Admin tool as well as TeamViewer for remote access.[2][3][4]
EnterpriseT1076Remote Desktop ProtocolCobalt Group has used Remote Desktop Protocol to conduct lateral movement.[4]
EnterpriseT1105Remote File CopyCobalt Group uses public sites such as github.com and sendspace.com to upload files and then download them to victim computers.[2][3]
EnterpriseT1053Scheduled TaskCobalt Group has created Windows tasks to establish persistence.[4]
EnterpriseT1064ScriptingCobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution. The group has also used an exploit toolkit known as Threadkit that launches .bat files.[1][2][4]
EnterpriseT1193Spearphishing AttachmentCobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc, .xls, archives containing LNK files, and password protected archives containing .exe and .scr executables.[1][2][3][4][5][6]
EnterpriseT1192Spearphishing LinkCobalt Group has sent emails with URLs pointing to malicious documents.[1]
EnterpriseT1071Standard Application Layer ProtocolCobalt Group has used HTTPS and DNS tunneling for C2. The group has also used the Plink utility to create SSH tunnels.[1][3][4]
EnterpriseT1032Standard Cryptographic ProtocolCobalt Group has used the Plink utility to create SSH tunnels.[4]
EnterpriseT1204User ExecutionCobalt Group has sent emails containing malicious attachments or links that require users to execute a file or macro to infect the victim machine.[1]
EnterpriseT1220XSL Script ProcessingCobalt Group used msxsl.exe to bypass AppLocker and to invoke Jscript code from an XSL file.[1]

Software

IDNameTechniques
S0154Cobalt StrikeAccess Token Manipulation, BITS Jobs, Bypass User Account Control, Command-Line Interface, Commonly Used Port, Connection Proxy, Credential Dumping, Custom Command and Control Protocol, Data from Local System, Distributed Component Object Model, Execution through API, Exploitation for Privilege Escalation, Indicator Removal from Tools, Input Capture, Man in the Browser, Multiband Communication, Network Service Scanning, Network Share Discovery, New Service, Pass the Hash, PowerShell, Process Discovery, Process Hollowing, Process Injection, Remote Desktop Protocol, Remote Services, Remote System Discovery, Scheduled Transfer, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Timestomp, Valid Accounts, Windows Admin Shares, Windows Management Instrumentation, Windows Remote Management
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0284More_eggsFile Deletion, Remote File Copy, Security Software Discovery, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery
S0029PsExecService Execution, Windows Admin Shares
S0195SDeleteCode Signing, File Deletion

References